Overview

overview

10

Static

static

NEW AGREEM...1.xlsx

windows7_x64

10

NEW AGREEM...1.xlsx

windows10_x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEW AGREEMENT 2021.xlsx

  • Size

    2.4MB

  • Sample

    210121-5h219hnkqj

  • MD5

    d92414b9067c16cb85448a1d57495033

  • SHA1

    289708f65413544d5162c5c6814efe24da10b38b

  • SHA256

    36a96f3eaba0f196e2a300d1200154b29a82165b0fe7e308ed67076d8464a88c

  • SHA512

    9bd8463ebe29826feea9aa04c94f6067ee40f6786e6137eb7a494e57bb417f0c2323997f7241387a946ef53c8932ba9b7d0f1dfb61265d96883d1feea0b33881

Score
10/10
formbookxloaderloaderransomwareratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.rizrvd.com/bw82/

Decoy

fundamentaliemef.com

gallerybrows.com

leadeligey.com

octoberx2.online

climaxnovels.com

gdsjgf.com

curateherstories.com

blacksailus.com

yjpps.com

gmobilet.com

fcoins.club

foreverlive2027.com

healthyfifties.com

wmarquezy.com

housebulb.com

thebabyfriendly.com

primajayaintiperkasa.com

learnplaychess.com

chrisbubser.digital

xn--avenr-wsa.com

Targets

    • Target

      NEW AGREEMENT 2021.xlsx

    • Size

      2.4MB

    • MD5

      d92414b9067c16cb85448a1d57495033

    • SHA1

      289708f65413544d5162c5c6814efe24da10b38b

    • SHA256

      36a96f3eaba0f196e2a300d1200154b29a82165b0fe7e308ed67076d8464a88c

    • SHA512

      9bd8463ebe29826feea9aa04c94f6067ee40f6786e6137eb7a494e57bb417f0c2323997f7241387a946ef53c8932ba9b7d0f1dfb61265d96883d1feea0b33881

    Score
    10/10
    formbookxloaderloaderransomwareratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks