General
-
Target
467d77d35a6fc815ecbd60b0b320d7ca06e0f8a340c2c3285de4c0430517f8e7.zip
-
Size
572KB
-
Sample
250128-qx2k2stjck
-
MD5
a193ddc3d7a36a6d5702a985e0794448
-
SHA1
dd2ff85d7da543d7e9b6c11652917b27d0feb765
-
SHA256
27a679cdef391d8ce43578cd9e160b07cc8e6f2356e224b3ca1cfef7a163584c
-
SHA512
2c4d49f2cf146a4d13ef67df08bf07a7ff189f8d985003575b5bd15e76d7cf189317de295a9caeffbd9a747c126891206db579e519dfb3d95b632a42ef1dea80
-
SSDEEP
12288:aYOL5j+JPgzhlkSKTznv3pOSglLYRI4P1RWlnnGMMaQxnPQ2klQBZVFPA:a1+JPElkS2fxYYS4jW9CaQx42klQBZVW
Malware Config
Extracted
formbook
4.1
b02a
nnovate.host
yrvo.shop
obify.party
55665.one
vlisazouasiul.store
arjohbs.shop
mjsccc5716.shop
nfluencer-marketing-86606.bond
atellite-internet-74549.bond
arehouse-inventory-82506.bond
kanzaturf.net
airbypatrickmcguire.net
90880a15.buzz
ancake888.info
hopcroma.store
usinessloanscanada524285.icu
mdjr.world
9kct.xyz
ombrd.finance
luratu.xyz
Targets
-
-
Target
467d77d35a6fc815ecbd60b0b320d7ca06e0f8a340c2c3285de4c0430517f8e7.exe
-
Size
651KB
-
MD5
9ecbdf4d5174c3da835a2a7829e06773
-
SHA1
734529d1583291a87ff3cfc8895705e374f0091a
-
SHA256
467d77d35a6fc815ecbd60b0b320d7ca06e0f8a340c2c3285de4c0430517f8e7
-
SHA512
06ce5f9f79ed67731552a64fd4d730512cf10a1b006d3b4e258f357f85d8288e1c8862e4f2e8460ee58ef6ec138ae68b161372443c5091dfb4460f584fb49317
-
SSDEEP
12288:djz40GsIZC+9koIrfqUe1FOB/Uy4d8+1Aeh1bWwU6RnPsdx90:m3GXoIBe1FOf4dOCnPs
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Formbook payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-