General

  • Target

    RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.doc

  • Size

    1.3MB

  • Sample

    210113-chykb144q6

  • MD5

    44cce032ed68104da1f632d18dd16971

  • SHA1

    415e8f97c4ad9392ee905cef88b814f0fd4162a2

  • SHA256

    1f9d1bffe188b76bbd97cb2fd59ab47248b71fcede2f415ca29fcc0f1040bbee

  • SHA512

    61062853a8ce2c68953105d485d63ef809aa0b94c677d304f7633226e1415e427521ed6beba45fb76de999762656f30d289f2e4ea8dbb80b659812d50c0511b7

Malware Config

Extracted

Family

formbook

C2

http://www.evana-rohanihijab.com/iic6/

Decoy

capableandresilient.com

listaprzygod.com

cashhomeprogram.com

aboutwheelchair.com

clk4milli.club

asakitreks.com

liquiddreamworld.com

uqur88.com

bestifystore.com

arancionehq.xyz

mmoimperium.com

houxinjian.com

satmonitoring.com

tidalhaven.com

blcdevelopers.com

piratesofthefun.com

kadopulsa.com

xn--o39au6k0nm4rghsaq0c.net

wxxxtw.com

kyrtjf.com

Targets

    • Target

      RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.doc

    • Size

      1.3MB

    • MD5

      44cce032ed68104da1f632d18dd16971

    • SHA1

      415e8f97c4ad9392ee905cef88b814f0fd4162a2

    • SHA256

      1f9d1bffe188b76bbd97cb2fd59ab47248b71fcede2f415ca29fcc0f1040bbee

    • SHA512

      61062853a8ce2c68953105d485d63ef809aa0b94c677d304f7633226e1415e427521ed6beba45fb76de999762656f30d289f2e4ea8dbb80b659812d50c0511b7

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks