Overview

overview

10

Static

static

10

REQUEST UR...0.docx

windows7_x64

10

REQUEST UR...0.docx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    REQUEST URGENT INQUIRY Order No. BCM #03122020.docx

  • Size

    10KB

  • Sample

    210604-7sbhm3e2p6

  • MD5

    cbe2bf1df01f128648e5fb90bb3f3c5f

  • SHA1

    8917dd86f3c03bb10a4df45ef6a1bf012e10a897

  • SHA256

    fd4201668cc230dca3ada4023264462745d786fdf81c4547cc41ef291fda318f

  • SHA512

    8afc7de3a0d5659eecca7490a61c6963789d1d27bda501401242c8b58b333febf3be8efba609737188c2319043b6d0366bb7a54a5f8c2b5fb91840854b4f54da

Score
10/10
formbookratspywarestealertrojanwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://37.120.206.70/dom/d.wbk

Extracted

Family

formbook

Version

4.1

C2

http://www.rocketschool.net/nf2/

Decoy

avlholisticdentalcare.com

coolermassmedia.com

anythingneverything.net

maimaixiu.club

veyconcorp.com

rplelectro.com

koch-mannes.club

tecknetpro.com

getresurface.net

mertzengin.com

nbppfanzgn.com

508hill.com

ourdailydelights.com

aimeesambayan.com

productstoredt.com

doublelblonghorns.com

lucidcurriculum.com

thegoddessnow.com

qywqmjku.icu

yonibymina.com

Targets

    • Target

      REQUEST URGENT INQUIRY Order No. BCM #03122020.docx

    • Size

      10KB

    • MD5

      cbe2bf1df01f128648e5fb90bb3f3c5f

    • SHA1

      8917dd86f3c03bb10a4df45ef6a1bf012e10a897

    • SHA256

      fd4201668cc230dca3ada4023264462745d786fdf81c4547cc41ef291fda318f

    • SHA512

      8afc7de3a0d5659eecca7490a61c6963789d1d27bda501401242c8b58b333febf3be8efba609737188c2319043b6d0366bb7a54a5f8c2b5fb91840854b4f54da

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks