Overview

overview

10

Static

static

Document R...d.xlsx

windows7_x64

10

Document R...d.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Document Required.xlsx

  • Size

    197KB

  • Sample

    201125-9fkx8wvndx

  • MD5

    8fd8de25313b4fc4255aa5591688d0ea

  • SHA1

    712d9a77d3e3f06dc581389d6f6e4750342c0fe1

  • SHA256

    03a6bc87bb80addefb4be14286dfde8e9bcac5f33cfbc979a7f0663b3bedefc6

  • SHA512

    6465e41c2c08d5bd46b90a0b30ad96b25287db7703e8b883fc8a5f97f150d60ea356b350c0a5d1805213f576ee1b86d60d40a2ec4a6b11945911545330962f32

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.mommabearmoney.com/et2d/

Decoy

wcaconline.com

travelbackpackss.com

ao-m-nishinomiya.com

tilania.com

vegbydesign.net

mybabysisterscloset.com

sanctitude-cuspidated.com

russtybeats.com

dichvubangchuan.com

su-seikatu.info

eratosantorini.com

ninetofivemama.com

delishany.com

pawchamamapet.net

nissicloud.com

strictlyotaku.net

kissmanga.pro

appalachianfx.com

aralending.com

forbrighterlife.com

Targets

    • Target

      Document Required.xlsx

    • Size

      197KB

    • MD5

      8fd8de25313b4fc4255aa5591688d0ea

    • SHA1

      712d9a77d3e3f06dc581389d6f6e4750342c0fe1

    • SHA256

      03a6bc87bb80addefb4be14286dfde8e9bcac5f33cfbc979a7f0663b3bedefc6

    • SHA512

      6465e41c2c08d5bd46b90a0b30ad96b25287db7703e8b883fc8a5f97f150d60ea356b350c0a5d1805213f576ee1b86d60d40a2ec4a6b11945911545330962f32

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks