General

  • Target

    PO20210723.xlsx

  • Size

    1.2MB

  • Sample

    210723-mhh6d4r7bs

  • MD5

    13481df252e0eed6eea3f219a47d42f3

  • SHA1

    916c441582321287167e51f987ae719d75892ae8

  • SHA256

    b78a8643cd8001537207ddfaa47ac46e68a7d5c38d2b1eb1a1ca216101152eb9

  • SHA512

    e51dcac2395e751f4cb99014097c3e6b235a46d4a4b24d68e9191282583b5bd64854aff0d4078c13676b034b540c76b24e652d08efad8dfe1bc71808ba4681e7

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.howmucharemyrarecoinsworth.com/jn7g/

Decoy

mojketering.com

signinsimple.com

theartclouds.com

xmartmanagement.com

akademisantri.com

knitsu.com

funeralhomeswarrensburgil.com

formatohd.xyz

ortetiles.com

myeduhubs.com

twinpiques.com

itpaystobefashionable.com

3drinkminimum.com

wanpoo1.com

crystalclearlifecoachingcc.com

dronerealestate.net

langers.email

konstela.com

enteratecondanielvelasquez.com

graceinhomeschoolchaos.com

Targets

    • Target

      PO20210723.xlsx

    • Size

      1.2MB

    • MD5

      13481df252e0eed6eea3f219a47d42f3

    • SHA1

      916c441582321287167e51f987ae719d75892ae8

    • SHA256

      b78a8643cd8001537207ddfaa47ac46e68a7d5c38d2b1eb1a1ca216101152eb9

    • SHA512

      e51dcac2395e751f4cb99014097c3e6b235a46d4a4b24d68e9191282583b5bd64854aff0d4078c13676b034b540c76b24e652d08efad8dfe1bc71808ba4681e7

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks