Overview

overview

10

Static

static

PI202009255687.xlsx

windows7_x64

10

PI202009255687.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PI202009255687.xlsx

  • Size

    2.5MB

  • Sample

    201126-mwt26jl2bs

  • MD5

    d7c0c12c1cdf36e9f97f96cb3fe16ae0

  • SHA1

    e73e8bd48f5ef68747de444e44d59745cb75b08a

  • SHA256

    76b2d9b4655b8a349e1b5c7bf05ac5bb22bea988bc818e46756b17d7e22a37d1

  • SHA512

    1032c3abfa95c26c00c42b5bba0ef6bfd565b9391a255f7eb36f5edee271a46fac0e1a707c23a5820a307a76c4773a8b74f0f15efa2c594d6d79e953c52d5a7b

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.blog-cybersecurite.net/ogg/

Decoy

constmotion.com

castinginiciadas.com

dalvgroup.com

dmetuningkw.com

everygrindcount.com

lovewrendley.com

yourtallahassee.com

healer-jou.com

china-gadge.com

theplatinumworld.com

rakutenlle.xyz

neroflex.com

zdysks.com

e-learningorange.com

starbleach.com

apexappsllc.com

sinteredsurface.com

upcas.info

monetizemybizadvertisers.com

tsptoolbox.net

Targets

    • Target

      PI202009255687.xlsx

    • Size

      2.5MB

    • MD5

      d7c0c12c1cdf36e9f97f96cb3fe16ae0

    • SHA1

      e73e8bd48f5ef68747de444e44d59745cb75b08a

    • SHA256

      76b2d9b4655b8a349e1b5c7bf05ac5bb22bea988bc818e46756b17d7e22a37d1

    • SHA512

      1032c3abfa95c26c00c42b5bba0ef6bfd565b9391a255f7eb36f5edee271a46fac0e1a707c23a5820a307a76c4773a8b74f0f15efa2c594d6d79e953c52d5a7b

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks