General

  • Target

    Payment Swift.doc

  • Size

    319KB

  • Sample

    210510-kva8ampf7e

  • MD5

    eaf353f50d090caa75e67f05393c8717

  • SHA1

    9dcea91cea5313f75f69ad255fd919497d418904

  • SHA256

    b6a6ff003727e8fe59a6d10a4ea5fa4b066e15cd0ecba552c4d7d3d08da0d986

  • SHA512

    d035e065741109ace2e8f59abf5a5ab62d7fc94da64a7bd185c82f07c5bfadf364ed494c6fee6a2768ad243a6d393941ed799c24d40818b57bc28a8375e19931

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.shoprodeovegas.com/xcl/

Decoy

sewingtherose.com

thesmartshareholder.com

afasyah.com

marolamusic.com

lookupgeorgina.com

plataforyou.com

dijcan.com

pawtyparcels.com

interprediction.com

fairerfinancehackathon.net

thehmnshop.com

jocelynlopez.com

launcheffecthouston.com

joyeveryminute.com

spyforu.com

ronerasanjuan.com

gadgetsdesi.com

nmrconsultants.com

travellpod.com

ballparksportscards.com

Targets

    • Target

      Payment Swift.doc

    • Size

      319KB

    • MD5

      eaf353f50d090caa75e67f05393c8717

    • SHA1

      9dcea91cea5313f75f69ad255fd919497d418904

    • SHA256

      b6a6ff003727e8fe59a6d10a4ea5fa4b066e15cd0ecba552c4d7d3d08da0d986

    • SHA512

      d035e065741109ace2e8f59abf5a5ab62d7fc94da64a7bd185c82f07c5bfadf364ed494c6fee6a2768ad243a6d393941ed799c24d40818b57bc28a8375e19931

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks