General

  • Target

    PO&CONTRACT#20880.doc

  • Size

    49KB

  • Sample

    210726-czemgee7pe

  • MD5

    1e7bc879d7960afaa08148c635ae534f

  • SHA1

    e1a0db056bdc1cba07ef43c27a80e5bfd79b4eac

  • SHA256

    8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e

  • SHA512

    87305e45665309e3e6de38aae33a61481445257cbef1f4ce268db0223481bb6b0acaed8d81aafee00a43d53b0278fd27a2fcd34ef51b670ca86c34108ea49366

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.containerflippers.com/np0c/

Decoy

spartansurebets.com

threelakestradingco.com

metaspace.global

zjenbao.com

directlyincluded.press

peterchadri.com

learnhousebreaking.com

wonobattle.online

leadate.com

shebafarmscali.com

top4thejob.online

awakeyourfaith.com

bedford-st.com

lolwhats.com

cucurumbel.com

lokalbazaar.com

matter.pro

eastcountyanimalrescue.com

musesgirl.com

noordinarydairy.com

Targets

    • Target

      PO&CONTRACT#20880.doc

    • Size

      49KB

    • MD5

      1e7bc879d7960afaa08148c635ae534f

    • SHA1

      e1a0db056bdc1cba07ef43c27a80e5bfd79b4eac

    • SHA256

      8c4b07ce49252a4ed12ad611a9f8fde65a63fc12368c6726776e86e140d3872e

    • SHA512

      87305e45665309e3e6de38aae33a61481445257cbef1f4ce268db0223481bb6b0acaed8d81aafee00a43d53b0278fd27a2fcd34ef51b670ca86c34108ea49366

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks