Overview

overview

10

Static

static

8

14.xlam

windows7_x64

10

14.xlam

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    14.xlam

  • Size

    15KB

  • Sample

    210506-jfyk3g2z92

  • MD5

    11e9376ee19889ee5c08e816b1d3b231

  • SHA1

    d22b56bedc58de7da73d647a5f3048b9cabc17d7

  • SHA256

    cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c

  • SHA512

    fe846e63b1616166bebed98bdea82f1d141a23a0abc68cf6dc94216f9b0242859dcebd5471aa0943a46a5ecfca1e430badaf049db4469ec3a13a252b2eb8164b

Score
10/10
formbookmacroratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Targets

    • Target

      14.xlam

    • Size

      15KB

    • MD5

      11e9376ee19889ee5c08e816b1d3b231

    • SHA1

      d22b56bedc58de7da73d647a5f3048b9cabc17d7

    • SHA256

      cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c

    • SHA512

      fe846e63b1616166bebed98bdea82f1d141a23a0abc68cf6dc94216f9b0242859dcebd5471aa0943a46a5ecfca1e430badaf049db4469ec3a13a252b2eb8164b

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Use of msiexec (install) with remote resource

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks