Overview

overview

10

Static

static

VM ASIAN C...N.xlsx

windows7_x64

10

VM ASIAN C...N.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VM ASIAN CHAMPION.xlsx

  • Size

    1.8MB

  • Sample

    210113-rx8pwt59pj

  • MD5

    fc2961be55b07415b4f6a712bd7736e5

  • SHA1

    e1c6c4c78a6deebda2e5444bc84317658a0f5b52

  • SHA256

    e2a65cc31e28a6510e974316379e8b6eb7c138d1da04cf84d0293fdc55d7d08e

  • SHA512

    d8e8a3f15b21ba1824788c774116a83af1d021634a5da09dc7a5a2abba02aabfe8ae3b44f7f53fb62a8c47d6120d1fe28ccbdc6ed99b73cf647b9947bd652c02

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.printmeroyal.com/ndm/

Decoy

gamilashopping.com

thebodyerotique.com

vulcan24on-line.com

nehyam.com

retrofityapi.com

sprayld2u.com

kieronart.com

vinteebee.com

temati.club

drenaz-limfatyczny.com

zrtopway.com

acaciagardens-bh.com

myloudmylarbags.com

fejseshessete.com

total-bar.com

yourmajordomo.com

newsstarbharat.com

vongbi.asia

multipeace.space

thesmellyheifer.com

Targets

    • Target

      VM ASIAN CHAMPION.xlsx

    • Size

      1.8MB

    • MD5

      fc2961be55b07415b4f6a712bd7736e5

    • SHA1

      e1c6c4c78a6deebda2e5444bc84317658a0f5b52

    • SHA256

      e2a65cc31e28a6510e974316379e8b6eb7c138d1da04cf84d0293fdc55d7d08e

    • SHA512

      d8e8a3f15b21ba1824788c774116a83af1d021634a5da09dc7a5a2abba02aabfe8ae3b44f7f53fb62a8c47d6120d1fe28ccbdc6ed99b73cf647b9947bd652c02

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks