Overview

overview

10

Static

static

excel.DLLW32.dll

windows7_x64

10

excel.DLLW32.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    excel.DLLW32

  • Size

    24KB

  • Sample

    210727-cb5gck1wpa

  • MD5

    c79d67e385569c8e4f090f0dc188cfff

  • SHA1

    68ee64c9f281aa0dd0479c8e89289b2af0bf72e8

  • SHA256

    7a7a4887dcc86e8b6a576ae2acf805881586ee672be261a2a91a8d7a6e78c5bd

  • SHA512

    4b4b906e5089816e7c7fb09c594e72bdf751ddd0cc2276b1a01a4915233983814a2463ac7648300362505128c5198882248f05fb5a3483b4702daedbed92b918

Score
10/10
formbookagilenetratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.happylittlexplorers.com/glgd/

Decoy

cdcbullies.com

qidajixie.com

bgimlv.com

sunflowerhybrid.com

kemal.cloud

canadadirect.net

mickey2nd.com

fastjobssearcher.com

tiny-tobi.com

inmedixequus.com

coollifeideas.com

triadelectronicsupply.com

lambyo.com

zxyoo.com

spokanemusicmag.com

sortporn.com

deadroomnyc.com

313mail.com

hexiptv.net

stanbiccargo-express.com

Targets

    • Target

      excel.DLLW32

    • Size

      24KB

    • MD5

      c79d67e385569c8e4f090f0dc188cfff

    • SHA1

      68ee64c9f281aa0dd0479c8e89289b2af0bf72e8

    • SHA256

      7a7a4887dcc86e8b6a576ae2acf805881586ee672be261a2a91a8d7a6e78c5bd

    • SHA512

      4b4b906e5089816e7c7fb09c594e72bdf751ddd0cc2276b1a01a4915233983814a2463ac7648300362505128c5198882248f05fb5a3483b4702daedbed92b918

    Score
    10/10
    formbookagilenetratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks