General

  • Target

    New Order Request for Offer.exe

  • Size

    837KB

  • Sample

    250204-p8sa3syken

  • MD5

    db6dfd16b1ac39947a9063aa6326bf43

  • SHA1

    e03b5175355d7c413111e23b7fdaa5c84d563ec1

  • SHA256

    7157f19969ea92bb660c62b91144ca8be1d6f1631252c7d1f7125fd957a1cde6

  • SHA512

    3a21778799366577d05001f1936087a6de552844c9c0ceb43bf2f5b12d0d476299606d1718e08e91a620fcd4598fc65c2ef080b8bad567ba540e19171da876ff

  • SSDEEP

    24576:A86weWVAgchq2p7PH9Kb61xFYJH63h/eZ:ABwnAxh7pxm616U9e

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k15k

Decoy

herise.charity

esign-creafactory.store

ldjo.info

9603.pizza

nmap.biz

agnacavalcante.shop

iversidepumpmfg.shop

bcpoz.xyz

lange.store

nfovps.net

ihlj.info

uxury29.net

mergence.fun

oftware-download-49753.bond

amblingsystems.info

tpkoinhoki88.xyz

adecepuffbar.net

emorymakers.travel

azurite.icu

nstantquote.xyz

Targets

    • Target

      New Order Request for Offer.exe

    • Size

      837KB

    • MD5

      db6dfd16b1ac39947a9063aa6326bf43

    • SHA1

      e03b5175355d7c413111e23b7fdaa5c84d563ec1

    • SHA256

      7157f19969ea92bb660c62b91144ca8be1d6f1631252c7d1f7125fd957a1cde6

    • SHA512

      3a21778799366577d05001f1936087a6de552844c9c0ceb43bf2f5b12d0d476299606d1718e08e91a620fcd4598fc65c2ef080b8bad567ba540e19171da876ff

    • SSDEEP

      24576:A86weWVAgchq2p7PH9Kb61xFYJH63h/eZ:ABwnAxh7pxm616U9e

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks