General

  • Target

    INV2021-20800.docx

  • Size

    10KB

  • Sample

    210622-f21fh3kd4e

  • MD5

    6c1c7232217cf3ac24711d9d5588126d

  • SHA1

    03900482a118b894b2a5154dba552a543ccb7eb3

  • SHA256

    040ce819e4f59dd7803e3c75da71048dd8fcf3b28f840889562fd55b6e3f74f2

  • SHA512

    fb792cb769fb519529fa5029fbef1aef286ce30d9defaf698d4b5450965854b563e36e46b852f4a7df9f0fcc60ed4185b7b23c245dba0e7529ce57cf9dabf8e2

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

https://itsssl.com/jBbhJ

Extracted

Family

formbook

Version

4.1

C2

http://www.rocketschool.net/nf2/

Decoy

avlholisticdentalcare.com

coolermassmedia.com

anythingneverything.net

maimaixiu.club

veyconcorp.com

rplelectro.com

koch-mannes.club

tecknetpro.com

getresurface.net

mertzengin.com

nbppfanzgn.com

508hill.com

ourdailydelights.com

aimeesambayan.com

productstoredt.com

doublelblonghorns.com

lucidcurriculum.com

thegoddessnow.com

qywqmjku.icu

yonibymina.com

Targets

    • Target

      INV2021-20800.docx

    • Size

      10KB

    • MD5

      6c1c7232217cf3ac24711d9d5588126d

    • SHA1

      03900482a118b894b2a5154dba552a543ccb7eb3

    • SHA256

      040ce819e4f59dd7803e3c75da71048dd8fcf3b28f840889562fd55b6e3f74f2

    • SHA512

      fb792cb769fb519529fa5029fbef1aef286ce30d9defaf698d4b5450965854b563e36e46b852f4a7df9f0fcc60ed4185b7b23c245dba0e7529ce57cf9dabf8e2

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks