Overview

overview

10

Static

static

PO EME39134.xlsx

windows7_x64

10

PO EME39134.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO EME39134.xlsx

  • Size

    197KB

  • Sample

    201125-8kvlersfbn

  • MD5

    f36e2fd82cab99bcaef9ab3a9782a9ef

  • SHA1

    a7025bb62c32006928952d001ca41bb203759c6d

  • SHA256

    eaafa016e0754ffed792dab0d4ea318ef3db1671ad265a4906978a863f44703f

  • SHA512

    919e1909d300e4ae3293d151282790422f1d1b4b9659d1ccf69d1031e90d7adcf6132329ab0305d5611410ad5bf19b1e090b583462e75ed9f4a5944b1ce0d89b

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.pethgroup.com/mfg6/

Decoy

sygsytl.com

nansents.com

hoxtv.com

forevergrace.store

vdevny.com

couturetherapie.com

realnice.media

bio1usa.com

xn--n3cgab8bb5cvabb1bu1bw4y.com

restauranttents.com

dillenburghomeinspection.com

boboyan.com

oyagu.com

flawlessfacess.com

rifatreza.com

sellwiththetwins.com

soulmarkhome.com

digitaluj.com

poladip.online

rtrqoo.com

Targets

    • Target

      PO EME39134.xlsx

    • Size

      197KB

    • MD5

      f36e2fd82cab99bcaef9ab3a9782a9ef

    • SHA1

      a7025bb62c32006928952d001ca41bb203759c6d

    • SHA256

      eaafa016e0754ffed792dab0d4ea318ef3db1671ad265a4906978a863f44703f

    • SHA512

      919e1909d300e4ae3293d151282790422f1d1b4b9659d1ccf69d1031e90d7adcf6132329ab0305d5611410ad5bf19b1e090b583462e75ed9f4a5944b1ce0d89b

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks