Overview

overview

10

Static

static

10

Order Spec...n.docx

windows7_x64

10

Order Spec...n.docx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order Specification.docx

  • Size

    10KB

  • Sample

    210615-s2ca36psbx

  • MD5

    67c8ecd6af15b24d8ada9142aa3bec6e

  • SHA1

    f55c87f0da307e1049847b1f3cbfe90b541db063

  • SHA256

    9c9c3a88a1aed30e34abbae91f84f82d1777bcf303f8dabbbdc8330d2090febc

  • SHA512

    65efcd5e42ac1ad9e862666c1e12c6c111cf38e046944f34095b9d33922ac6a35e1fc4269d473b4f52c583d05377b9b0c94ecf7dcdea2bd4682880c30154a6ab

Score
10/10
formbookratspywarestealertrojanwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://0300.0003.0215.0244/ore/o.wbk

Extracted

Family

formbook

Version

4.1

C2

http://www.dragonpalcenk.com/k8n/

Decoy

foxynailserie.com

thenoyzees.com

waterrising.xyz

allmister.com

theguyscave.com

erkitap.com

spyder-club.com

raskrutisam.com

giantledlights.com

wowbeautynails.com

youmovies.site

abjms.com

enso-solutions.com

seasonalcampgroundsmn.com

lukeprater.com

mufasacapital.com

idi360.com

mask-cleaner.com

aeruswilmde.com

venkatlifecoach.com

Targets

    • Target

      Order Specification.docx

    • Size

      10KB

    • MD5

      67c8ecd6af15b24d8ada9142aa3bec6e

    • SHA1

      f55c87f0da307e1049847b1f3cbfe90b541db063

    • SHA256

      9c9c3a88a1aed30e34abbae91f84f82d1777bcf303f8dabbbdc8330d2090febc

    • SHA512

      65efcd5e42ac1ad9e862666c1e12c6c111cf38e046944f34095b9d33922ac6a35e1fc4269d473b4f52c583d05377b9b0c94ecf7dcdea2bd4682880c30154a6ab

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks