Overview

overview

10

Static

static

payment copy.xlsx

windows7_x64

10

payment copy.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    payment copy.xlsx

  • Size

    670KB

  • Sample

    210507-zjr2229h6a

  • MD5

    aea58eb70601d6c06d73b14c047d2274

  • SHA1

    38a71f5ec2abe59a8fab0d13a46ac2a86ef0e2bf

  • SHA256

    d4e1391a4c091eb93ee714ad3b7cb38363d1859c156a9c70d34f2176eb17af37

  • SHA512

    8d36fc594ce7622b34764cf39612265b687a3ee1d2d644f6aebcaf215379aa5820a52f3df37c899d9663cc8a843689b1e148854b96707fae69dfb9f23910a6fa

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.conciergedoctx.com/ot8m/

Decoy

digiclan.net

songlautramtuoii.online

miracleseedproducts.com

taniacastillo.com

essentialme.network

charmcitydetour.com

suprekopis.com

jimmycollier.com

thrifteee.com

rhmachinery.ltd

the05project.com

altfacebookalt.com

ein-herz-fuer-holz.com

kingohost.com

vmarines.com

2bestudio.com

triducdv.com

kp-transport.com

mybostonhwart.com

benzcat.net

Targets

    • Target

      payment copy.xlsx

    • Size

      670KB

    • MD5

      aea58eb70601d6c06d73b14c047d2274

    • SHA1

      38a71f5ec2abe59a8fab0d13a46ac2a86ef0e2bf

    • SHA256

      d4e1391a4c091eb93ee714ad3b7cb38363d1859c156a9c70d34f2176eb17af37

    • SHA512

      8d36fc594ce7622b34764cf39612265b687a3ee1d2d644f6aebcaf215379aa5820a52f3df37c899d9663cc8a843689b1e148854b96707fae69dfb9f23910a6fa

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks