Overview

overview

10

Static

static

RFQ-9837463.doc.rtf

windows7_x64

10

RFQ-9837463.doc.rtf

windows10_x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ-9837463.doc

  • Size

    2.0MB

  • Sample

    210121-jytlkx4jpa

  • MD5

    25af535599ad3e48d6b4713f8e599871

  • SHA1

    a293b85372f9b0ffdacb46af40518f1341ddc248

  • SHA256

    a8f4da2076bc00264891bc7872e70f245f47807c268fb921fc135b711c817b34

  • SHA512

    99b5b3f7606405b629519d35a6d442fee454a3bb2b5a571ae2595eeb0ace33b514d7114a70feae1c740573b1e11cb9528113d8eb51efe06a423858c3a553617b

Score
10/10
formbookransomwareratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.priscilafiorini.com/rcm/

Decoy

stunninggfe-ready.today

mlmtalks.com

mountainpeakcafe.com

vlmportraits.com

broskiusa.com

yunquenet.com

webinargifts.com

theatomicclean.com

baselinefibertothehome.net

newworldnails.net

plbmw.com

natsringswerp.com

h2o4all.life

alcoholxpress.com

heliumantennaguide.com

amazon-account-app-service.com

gandhiinfotech.com

abacapitals.com

daoxfi.com

radiocota.com

Targets

    • Target

      RFQ-9837463.doc

    • Size

      2.0MB

    • MD5

      25af535599ad3e48d6b4713f8e599871

    • SHA1

      a293b85372f9b0ffdacb46af40518f1341ddc248

    • SHA256

      a8f4da2076bc00264891bc7872e70f245f47807c268fb921fc135b711c817b34

    • SHA512

      99b5b3f7606405b629519d35a6d442fee454a3bb2b5a571ae2595eeb0ace33b514d7114a70feae1c740573b1e11cb9528113d8eb51efe06a423858c3a553617b

    Score
    10/10
    formbookransomwareratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks