Overview

overview

10

Static

static

MV. XIN YU.xlsx

windows7_x64

10

MV. XIN YU.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MV. XIN YU.xlsx

  • Size

    1.6MB

  • Sample

    210114-ezddfmzy6j

  • MD5

    d715d4d4a61b5f887a208c9bddafb9da

  • SHA1

    6cdfe2b35e2418f634a2ab2f0b0edb1cef68faac

  • SHA256

    7ef5f3085a43a8ab9c302aa9127d13fea92daa426d999181eeba1bc2d8643c44

  • SHA512

    af47a4d74577e847cee79e082036bead674054192161eb747c6f6ceaed7de578dde2186ccd0c1a6ad642244e25675b548b3733a3abefcac172cc13cc9f062092

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.huynhanhdung.com/kna/

Decoy

lawrencefiredepartment.com

executivehomeoffices.com

solfed.world

oshawaexchange.com

webdavlexstore.com

youpieb.com

chiller-master.com

bearstoragetn.com

daf90x16.com

gewhacaalouine.com

simplyezi.com

cstechnologyservices.com

nosyboats.com

thecocomarie.com

vetinaryeco.club

americangoselfilm.com

gdsuhejia.com

verbunden-sein.net

the-minerva.com

loctrantv.com

Targets

    • Target

      MV. XIN YU.xlsx

    • Size

      1.6MB

    • MD5

      d715d4d4a61b5f887a208c9bddafb9da

    • SHA1

      6cdfe2b35e2418f634a2ab2f0b0edb1cef68faac

    • SHA256

      7ef5f3085a43a8ab9c302aa9127d13fea92daa426d999181eeba1bc2d8643c44

    • SHA512

      af47a4d74577e847cee79e082036bead674054192161eb747c6f6ceaed7de578dde2186ccd0c1a6ad642244e25675b548b3733a3abefcac172cc13cc9f062092

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks