General

  • Target

    updated order00pdf.exe

  • Size

    694KB

  • Sample

    250123-rj96pstmgp

  • MD5

    3eb2ceb99c3ef6893ace27ea06be4cfa

  • SHA1

    c0d1da3207d947f99c1809cf94055adbdde7c3d7

  • SHA256

    28a65019d2736dd82fdb229c9e6f5ff053c25e095d118ae03359238f44ba22d7

  • SHA512

    6e9d570a4e5e20a2d0acd3fd4beebc872238e99aec72a747b3aec809c46f4a26dd651d39be69026f4d061a66d515e131ae830e663104d688fb0841f2b4fe4158

  • SSDEEP

    12288:eQFtq5Aai1/mnTesWGrzVXxBEgqO/kCerVYuVH3Uv2Hd9:eMq5Aai10mMzJkjxD2sd9

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a02d

Decoy

coplus.market

oofing-jobs-74429.bond

healchemists.xyz

oofcarpenternearme-jp.xyz

enewebsolutions.online

harepoint.legal

88977.club

omptables.xyz

eat-pumps-31610.bond

endown.graphics

amsexgirls.website

ovevibes.xyz

u-thiensu.online

yblinds.xyz

rumpchiefofstaff.store

erzog.fun

rrm.lat

agiclime.pro

agaviet59.shop

lbdoanhnhan.net

Targets

    • Target

      updated order00pdf.exe

    • Size

      694KB

    • MD5

      3eb2ceb99c3ef6893ace27ea06be4cfa

    • SHA1

      c0d1da3207d947f99c1809cf94055adbdde7c3d7

    • SHA256

      28a65019d2736dd82fdb229c9e6f5ff053c25e095d118ae03359238f44ba22d7

    • SHA512

      6e9d570a4e5e20a2d0acd3fd4beebc872238e99aec72a747b3aec809c46f4a26dd651d39be69026f4d061a66d515e131ae830e663104d688fb0841f2b4fe4158

    • SSDEEP

      12288:eQFtq5Aai1/mnTesWGrzVXxBEgqO/kCerVYuVH3Uv2Hd9:eMq5Aai10mMzJkjxD2sd9

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks