General

  • Target

    2021.07.26 - PO 0452649743 - F0578EU50.xlsx

  • Size

    798KB

  • Sample

    210726-d1yyc38gl2

  • MD5

    2396108f9695e2126edb1aada8d9b866

  • SHA1

    60d64e3ff8a7b763eb839b4910f4935ecbf58aa2

  • SHA256

    7016c73c98597d430d0f64339ea0f00e89e19b23ab633195251a099dd7b86e87

  • SHA512

    1d9373dad84fac6242f74ef99e684b8c227f563f4fa8d380b68d7653d787f3efa461bf9d639157c18d18bf57b3587aca5c5bfd10b33355a01ae0427788acddb6

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.dongshengjunyao.com/b2dn/

Decoy

tigasaki.com

ashurmall.net

womenanhome.com

aplusmoblervrepair.com

hometheaterplanning.com

editstores.com

growtoabillion.com

uaforge96sport.com

customersuccessoutsourcing.com

northstaradio.com

remotetech42.com

matchapult.com

breakdownquartet.com

erhradtcc.com

cyainspectionsinc.com

hussy-ballistics.info

prodisa.info

mitthussweets.com

ibycoaching.com

gpspersonaltracker.equipment

Targets

    • Target

      2021.07.26 - PO 0452649743 - F0578EU50.xlsx

    • Size

      798KB

    • MD5

      2396108f9695e2126edb1aada8d9b866

    • SHA1

      60d64e3ff8a7b763eb839b4910f4935ecbf58aa2

    • SHA256

      7016c73c98597d430d0f64339ea0f00e89e19b23ab633195251a099dd7b86e87

    • SHA512

      1d9373dad84fac6242f74ef99e684b8c227f563f4fa8d380b68d7653d787f3efa461bf9d639157c18d18bf57b3587aca5c5bfd10b33355a01ae0427788acddb6

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks