General

  • Target

    SwiftMT1O3.xlsx

  • Size

    2MB

  • Sample

    210122-83svrnz1ba

  • MD5

    01a88cf9ab93b715387c2f3ba777cf6e

  • SHA1

    19fad6f30f2b31fec8708a9897c630f8065f61a5

  • SHA256

    970c5c7c04d9f838897c5914b840f40c0bf1dbf61503ba093a68552336952345

  • SHA512

    2dca7bbb27e320a43d04adc3d118bbb6a2c3ce0494c10a5d39805350d0cea5852b57e354aedc10b8f5d2eec54ece38caeb458d6e536166bb3958764513aba4ba

Malware Config

Extracted

Family

formbook

C2

http://www.huynhanhdung.com/kna/

Decoy

lawrencefiredepartment.com

executivehomeoffices.com

solfed.world

oshawaexchange.com

webdavlexstore.com

youpieb.com

chiller-master.com

bearstoragetn.com

daf90x16.com

gewhacaalouine.com

simplyezi.com

cstechnologyservices.com

nosyboats.com

thecocomarie.com

vetinaryeco.club

americangoselfilm.com

gdsuhejia.com

verbunden-sein.net

the-minerva.com

loctrantv.com

Targets

    • Target

      SwiftMT1O3.xlsx

    • Size

      2MB

    • MD5

      01a88cf9ab93b715387c2f3ba777cf6e

    • SHA1

      19fad6f30f2b31fec8708a9897c630f8065f61a5

    • SHA256

      970c5c7c04d9f838897c5914b840f40c0bf1dbf61503ba093a68552336952345

    • SHA512

      2dca7bbb27e320a43d04adc3d118bbb6a2c3ce0494c10a5d39805350d0cea5852b57e354aedc10b8f5d2eec54ece38caeb458d6e536166bb3958764513aba4ba

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks