Overview

overview

10

Static

static

New order.xlsm

windows7_x64

10

New order.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New order.xlsm

  • Size

    92KB

  • Sample

    200709-lt1vf1h6gx

  • MD5

    2433e76542036ab53b138a98eeda548a

  • SHA1

    fa75a6ce57ec974345eb05a9d5e587a1eef772be

  • SHA256

    148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc

  • SHA512

    3ae2f70b3d39d85d1befea180ee75815abb20349a90cf3678db2e001d5ac362f68230e30680c897e33a05a6dbc1d8a776505751da043797b15327bb38251d243

Score
10/10
formbookpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://sagc.be/svc.exe

Targets

    • Target

      New order.xlsm

    • Size

      92KB

    • MD5

      2433e76542036ab53b138a98eeda548a

    • SHA1

      fa75a6ce57ec974345eb05a9d5e587a1eef772be

    • SHA256

      148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc

    • SHA512

      3ae2f70b3d39d85d1befea180ee75815abb20349a90cf3678db2e001d5ac362f68230e30680c897e33a05a6dbc1d8a776505751da043797b15327bb38251d243

    Score
    10/10
    trojanspywarestealerformbookpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run entry to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks