Resubmissions

01/07/2025, 06:41

250701-hf9akasp12 10

01/07/2025, 06:22

250701-g43bgsdl5v 10

10/06/2025, 16:01

250610-tgnk2azqw5 10

General

  • Target

    271JaJbQjMLGbcc.exe

  • Size

    667KB

  • Sample

    250610-tgnk2azqw5

  • MD5

    17043ee76cd32800262fa06cfc3ac690

  • SHA1

    0f11ac97736fb42fd30d6c4abf1da4549e8f0101

  • SHA256

    6781be8abda50b0cc7d27b9466f7b39572f978cf16151092554e7b4557f0ac06

  • SHA512

    0ec8c106a4d55deee49da8a9696f36cbcfb55872d0d2e982416be34ab7e81faa2b2c12f86575e195093d24b78978691c4c242fe7bdf1ab728a68bf92b57d31d7

  • SSDEEP

    12288:disP8yffxahqfDGZW17k0+YHPEd8MwP0WAra3OjuBGy1kuOEXuVjCqfkR:n8yffxQqbuWZk9DNWAr6u+3OCq6

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hi26

Decoy

ctopeaux.shop

isui.shop

huangyusij.top

tsgfa.lol

bcjpp.top

ccess1logsmexico.lat

6vhv7.vip

3i1mp.vip

isy.art

rterracaudill.today

377278d.app

izoc.xyz

guiwe.xyz

81rwp.vip

hi8t3b5a3.shop

omnerror.shop

hm6l1w9o5.shop

saondemandswag.net

sig.xyz

andbags-48525.bond

Targets

    • Target

      271JaJbQjMLGbcc.exe

    • Size

      667KB

    • MD5

      17043ee76cd32800262fa06cfc3ac690

    • SHA1

      0f11ac97736fb42fd30d6c4abf1da4549e8f0101

    • SHA256

      6781be8abda50b0cc7d27b9466f7b39572f978cf16151092554e7b4557f0ac06

    • SHA512

      0ec8c106a4d55deee49da8a9696f36cbcfb55872d0d2e982416be34ab7e81faa2b2c12f86575e195093d24b78978691c4c242fe7bdf1ab728a68bf92b57d31d7

    • SSDEEP

      12288:disP8yffxahqfDGZW17k0+YHPEd8MwP0WAra3OjuBGy1kuOEXuVjCqfkR:n8yffxQqbuWZk9DNWAr6u+3OCq6

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks