Overview

overview

10

Static

static

Shipping D...S.xlsx

windows7_x64

10

Shipping D...S.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Shipping Doc_Posen 2011S.xlsx

  • Size

    1.9MB

  • Sample

    210115-ccjgdtvdmx

  • MD5

    6251595d49a8e13fd50acdee711a4907

  • SHA1

    3858854ea990b7b7093a11d817a71e78153f42c1

  • SHA256

    3519fe69cbcf16296c897fae7afe09ce22b9d3b8ebfaf2be8d958d985c9104f8

  • SHA512

    4074c4decfe9790dc3605e183e2dd536446ec0404194dd1df53dbccb3de9f5b0db55df603713b5e94d51c60c64091e9cda576c84496d783723663b3691f3d689

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.waverunner-fan.com/pp2/

Decoy

meredithridenhour.com

foundationsseniormanagement.com

sallyta.com

msmonlinellc.com

entreprisesfr.com

neadclunlounge.com

lexuscarbonfiber.com

electroglas-probers.com

investedgefinancialinc.com

blm.healthcare

workoutmagazinemx.com

edmondsagent.com

rodrigzart.com

standardstripcurtains.com

carrier.email

hifan.info

fhcqtravel.com

legacycream.com

topfurnity.com

solids-development.net

Targets

    • Target

      Shipping Doc_Posen 2011S.xlsx

    • Size

      1.9MB

    • MD5

      6251595d49a8e13fd50acdee711a4907

    • SHA1

      3858854ea990b7b7093a11d817a71e78153f42c1

    • SHA256

      3519fe69cbcf16296c897fae7afe09ce22b9d3b8ebfaf2be8d958d985c9104f8

    • SHA512

      4074c4decfe9790dc3605e183e2dd536446ec0404194dd1df53dbccb3de9f5b0db55df603713b5e94d51c60c64091e9cda576c84496d783723663b3691f3d689

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks