Overview

overview

10

Static

static

8

sp.xlam

windows7_x64

10

sp.xlam

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sp.xlam

  • Size

    15KB

  • Sample

    210505-z7klq8cvks

  • MD5

    399563af4221cc2c176d8f218d6a563d

  • SHA1

    72251218c8127abeab4c04944445c18bdac2688f

  • SHA256

    cc9cefa7960d991d414051f5fe153ffa514a2e687143dd2b1b6966edbbcadbec

  • SHA512

    bb0aef3126bc94f5bc32bddc96b4c6720b4eeeaa91c1a80c95039d4c88871fdc33ceef7cd579bd00d4acbc62987f9e6c0fa7efa08de81e4a4db8194f81f6ebea

Score
10/10
formbookmacroratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Targets

    • Target

      sp.xlam

    • Size

      15KB

    • MD5

      399563af4221cc2c176d8f218d6a563d

    • SHA1

      72251218c8127abeab4c04944445c18bdac2688f

    • SHA256

      cc9cefa7960d991d414051f5fe153ffa514a2e687143dd2b1b6966edbbcadbec

    • SHA512

      bb0aef3126bc94f5bc32bddc96b4c6720b4eeeaa91c1a80c95039d4c88871fdc33ceef7cd579bd00d4acbc62987f9e6c0fa7efa08de81e4a4db8194f81f6ebea

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Use of msiexec (install) with remote resource

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks