Overview

overview

10

Static

static

VOMAXTRADING.doc

windows7_x64

10

VOMAXTRADING.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VOMAXTRADING.doc

  • Size

    1.6MB

  • Sample

    201126-7ym4vd7kvs

  • MD5

    30244581b41accd77dab936571e0d87e

  • SHA1

    46ddb3fa250dfb4808c3a43f7846d7c643a4f325

  • SHA256

    2664162d0341d8e5cf1cf3a290b77406d87111e3c9ff3fcf3a4f0836d15d3afe

  • SHA512

    485074c33256cd04b80f1f58297f5d26f55be56cd8837d35a825d8612407b310bfa29cde9e1934eec92da0a77b37f6e21f0ced9e3ce731ed8673c4b4da82f00e

Score
10/10
formbookpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.runwithit.media/bu43/

Decoy

bearrootstherapy.com

odmpay.com

johnfornmgov.com

astrodhaam.com

pumavps.com

empireconstructiontx.com

theboujeestop.com

indictthem.com

plantationbarnof1810.com

nsxs.xyz

lgshowroom.com

allinlifestyle.club

ik-com.net

saitamacity-sports.com

neuromuscularmassagetherapy.com

freespiritnutrition.com

alexanderhamilton.computer

happysay.co.uk

nndesignpr.com

lightweightmouldings.com

Targets

    • Target

      VOMAXTRADING.doc

    • Size

      1.6MB

    • MD5

      30244581b41accd77dab936571e0d87e

    • SHA1

      46ddb3fa250dfb4808c3a43f7846d7c643a4f325

    • SHA256

      2664162d0341d8e5cf1cf3a290b77406d87111e3c9ff3fcf3a4f0836d15d3afe

    • SHA512

      485074c33256cd04b80f1f58297f5d26f55be56cd8837d35a825d8612407b310bfa29cde9e1934eec92da0a77b37f6e21f0ced9e3ce731ed8673c4b4da82f00e

    Score
    10/10
    formbookpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks