Overview

overview

10

Static

static

10

PURCHASE_O...6.docx

windows7_x64

10

PURCHASE_O...6.docx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PURCHASE_ORDER.XSPECIFICATION_LW1911456.docx

  • Size

    10KB

  • Sample

    210602-r434cxy5nn

  • MD5

    91ebd2c17dfc34165107775a60332096

  • SHA1

    edd129796c2b2125b1cbb49fee200ca8bdf55019

  • SHA256

    c15791f597e2f2d7404aedb05f0709a6254a4177113cde88809eb58e01e75d0b

  • SHA512

    d689a521f82fa0cf5882b70a24a2a4395d211fe26f6391562faa714876c8133191272d8deed130e35c99d35baa86e45187c0ae0a151f23ce8cf92134debeec33

Score
10/10
formbookratspywarestealertrojanwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://79.110.52.186/presh/p.wbk

Extracted

Family

formbook

Version

4.1

C2

http://www.dragonpalcenk.com/k8n/

Decoy

foxynailserie.com

thenoyzees.com

waterrising.xyz

allmister.com

theguyscave.com

erkitap.com

spyder-club.com

raskrutisam.com

giantledlights.com

wowbeautynails.com

youmovies.site

abjms.com

enso-solutions.com

seasonalcampgroundsmn.com

lukeprater.com

mufasacapital.com

idi360.com

mask-cleaner.com

aeruswilmde.com

venkatlifecoach.com

Targets

    • Target

      PURCHASE_ORDER.XSPECIFICATION_LW1911456.docx

    • Size

      10KB

    • MD5

      91ebd2c17dfc34165107775a60332096

    • SHA1

      edd129796c2b2125b1cbb49fee200ca8bdf55019

    • SHA256

      c15791f597e2f2d7404aedb05f0709a6254a4177113cde88809eb58e01e75d0b

    • SHA512

      d689a521f82fa0cf5882b70a24a2a4395d211fe26f6391562faa714876c8133191272d8deed130e35c99d35baa86e45187c0ae0a151f23ce8cf92134debeec33

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks