General

  • Target

    Payment_Advice .doc

  • Size

    631KB

  • Sample

    210421-zqcgnrh86j

  • MD5

    02f8946d106c9da4187129f2eb0278b9

  • SHA1

    b9fed8b99b334c1b0062093bfb42eb62e2d8e562

  • SHA256

    f73c305a30ff01530c49c735e5c3b92b38248ecab0355b60d7e6e61eaebd398b

  • SHA512

    1a0ae4cab6e69d08748a8d459133bc5109905565f430866004176097893e3b7b5e4b4c28bc4e7b23d99581b0cdf72074f036e86d5038809b8b781121379f2791

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.shoprodeovegas.com/xcl/

Decoy

sewingtherose.com

thesmartshareholder.com

afasyah.com

marolamusic.com

lookupgeorgina.com

plataforyou.com

dijcan.com

pawtyparcels.com

interprediction.com

fairerfinancehackathon.net

thehmnshop.com

jocelynlopez.com

launcheffecthouston.com

joyeveryminute.com

spyforu.com

ronerasanjuan.com

gadgetsdesi.com

nmrconsultants.com

travellpod.com

ballparksportscards.com

Targets

    • Target

      Payment_Advice .doc

    • Size

      631KB

    • MD5

      02f8946d106c9da4187129f2eb0278b9

    • SHA1

      b9fed8b99b334c1b0062093bfb42eb62e2d8e562

    • SHA256

      f73c305a30ff01530c49c735e5c3b92b38248ecab0355b60d7e6e61eaebd398b

    • SHA512

      1a0ae4cab6e69d08748a8d459133bc5109905565f430866004176097893e3b7b5e4b4c28bc4e7b23d99581b0cdf72074f036e86d5038809b8b781121379f2791

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks