Overview

overview

10

Static

static

10

RFQ 010600...t.docx

windows7_x64

10

RFQ 010600...t.docx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ 01060021 Inquiry List.docx

  • Size

    10KB

  • Sample

    210602-3nc9ybg4ea

  • MD5

    19a53f5dc55103effe8f1bf1857050e9

  • SHA1

    f83c39a10dc491b209e299dd81b3dd92149e82cc

  • SHA256

    f894b45c87c689c51c77e76af7899fbfd99f02c3ee0dabb638612f1872acccfb

  • SHA512

    d34849e85b86c16429c214d6734a1c2b3b09a212382aa1f866bcb7ff7e2e268b711b8ca194e10f60fc46fb8b05f19ae0abc99d5de0513373d7a4ab6abf2dd7d4

Score
10/10
formbookratspywarestealertrojanwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://bit.do/fQV8b

Extracted

Family

formbook

Version

4.1

C2

http://www.mpaiji.com/c244/

Decoy

ssgasija.com

procyoon.com

mood-street-food.com

yeglifeview.com

baoyai.com

sundarsheni.com

notoli.photography

sweetape.com

ergas.group

asyrill.com

jin188v.com

stlazarushospitalnola.com

dohertyfamily5.com

duniaclubs.club

ngobryles.com

scottsavocasalon.com

unifiui.com

baileyfred.com

nabiagency.com

alyssaternanphotography.com

Targets

    • Target

      RFQ 01060021 Inquiry List.docx

    • Size

      10KB

    • MD5

      19a53f5dc55103effe8f1bf1857050e9

    • SHA1

      f83c39a10dc491b209e299dd81b3dd92149e82cc

    • SHA256

      f894b45c87c689c51c77e76af7899fbfd99f02c3ee0dabb638612f1872acccfb

    • SHA512

      d34849e85b86c16429c214d6734a1c2b3b09a212382aa1f866bcb7ff7e2e268b711b8ca194e10f60fc46fb8b05f19ae0abc99d5de0513373d7a4ab6abf2dd7d4

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks