Overview

overview

10

Static

static

VM ASIAN C...N.xlsx

windows7_x64

10

VM ASIAN C...N.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VM ASIAN CHAMPION.xlsx

  • Size

    1.8MB

  • Sample

    210115-q3t9dyrr8e

  • MD5

    fa54fb8f1e2cb91097b66edc81c16764

  • SHA1

    249aee08a090bb6c57816dce20ca968fc1a7c8d6

  • SHA256

    cafc9b500bdf7058b0d77f43d5aad253eb30347d483bc9b7a507f66503d04934

  • SHA512

    d08b1ed7cd1c3f57ccf89b87e8c37d8a9c4c2b81d6af9865ee05dea30c64dcecb540c34b49f2d4ccf5291a5a56431a4a4e3faf13cde251768e722e5b876e4cbd

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.thejusticeadvantageseminars.com/qccq/

Decoy

webuynyhouses.com

love-nepal.com

gardening-mistakes.com

495honda.com

newcuus.com

alefinvest.com

delhikigully.com

aznri4z9gtky4.net

hanswiemannbyaderans.com

mecaldiesel.com

akshen.net

y-agency.net

ahrohishrestha.com

arthalvorsonforcongress.com

mvmcompany.net

qyjjsk.com

yescoop.com

esergedrghwebrgqrq.xyz

kellyharmonedconsulting.com

deliciosatentacion.com

Targets

    • Target

      VM ASIAN CHAMPION.xlsx

    • Size

      1.8MB

    • MD5

      fa54fb8f1e2cb91097b66edc81c16764

    • SHA1

      249aee08a090bb6c57816dce20ca968fc1a7c8d6

    • SHA256

      cafc9b500bdf7058b0d77f43d5aad253eb30347d483bc9b7a507f66503d04934

    • SHA512

      d08b1ed7cd1c3f57ccf89b87e8c37d8a9c4c2b81d6af9865ee05dea30c64dcecb540c34b49f2d4ccf5291a5a56431a4a4e3faf13cde251768e722e5b876e4cbd

    Score
    10/10
    formbookxloaderloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks