Overview

overview

10

Static

static

Inquiry No...oc.rtf

windows7_x64

10

Inquiry No...oc.rtf

windows10_x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Inquiry No TBD-6-5659.doc

  • Size

    2.1MB

  • Sample

    210121-17c64yg12n

  • MD5

    1487709f7e0bd31d246132df9e334e9c

  • SHA1

    6f4250f4ffa15136852127b7d9dbfeabdd85d020

  • SHA256

    49615f1281e974a6f58c4dea63673b24ae8b331a3801788244710a3a19194a7a

  • SHA512

    aca6e69fe09e1c8446ffee3047fa3cefc3028ff203edf4d3b964f46b538cf83af5373e0a9e971b010ac568ebddb96e27769f927a0304e5e3d27e930a091fe462

Score
10/10
formbookransomwareratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.raleighblacknursesrock.com/sly/

Decoy

nature-nectar.com

lavenderbunch.com

itsguapo.com

silabrenda.digital

madelynmason.com

uslawyer911.com

sumarjewelry.com

therefundexperts.com

smartunity.community

jamesdalby.com

7697vip3.com

bytethug.com

f22.info

positivechargerecycling.com

srimps.net

conversica.partners

chezmireillestore.com

ukiyoservices.com

catsdungeon.com

svactionwmdp7955.com

Targets

    • Target

      Inquiry No TBD-6-5659.doc

    • Size

      2.1MB

    • MD5

      1487709f7e0bd31d246132df9e334e9c

    • SHA1

      6f4250f4ffa15136852127b7d9dbfeabdd85d020

    • SHA256

      49615f1281e974a6f58c4dea63673b24ae8b331a3801788244710a3a19194a7a

    • SHA512

      aca6e69fe09e1c8446ffee3047fa3cefc3028ff203edf4d3b964f46b538cf83af5373e0a9e971b010ac568ebddb96e27769f927a0304e5e3d27e930a091fe462

    Score
    10/10
    formbookransomwareratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks