Overview

overview

10

Static

static

Proof of p...ce.doc

windows7_x64

10

Proof of p...ce.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Proof of payment for overdue invoice.doc

  • Size

    1.0MB

  • Sample

    210727-xzf1xwn8bn

  • MD5

    fef57f1f8bc2bc336fa0fe4f1d5e3f30

  • SHA1

    c0169f4d359c5e889d6dc19a3559e1a4dd8bacc8

  • SHA256

    ef5b81d7eebf08ed869799e9022ca82ff0a5c781b72bb6652fbc1fe7f0e4ebcc

  • SHA512

    0009f9fb516136f198b09e5a64fa128be5d4aa1442a1d0d48a8308326c36ff6d2f9bbe394bbeb25245899dc65732f42bd1183770d1aba57ec0ef49c137fc1a4b

Score
10/10
formbookratspywarestealersuricatatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

httP://136.144.41.61/KLcaCYuAidZMbBJ.exe

Extracted

Family

formbook

Version

4.1

C2

http://www.yjhlgg.com/grve/

Decoy

jrvinganimalexterminator.com

smallsyalls.com

po1c3.com

mencg.com

aussieenjoyment.today

espace22.com

aanmelding-desk.info

gallopshoes.com

nftsexy.com

ricosdulcesmexicanos.com

riseswift.com

thechicthirty.com

matdcg.com

alternet.today

creativehuesdesigns.com

rjkcrafts.com

lowdosemortgage.com

adoptahamster.com

wellness-sense.com

jacardcapital.com

Targets

    • Target

      Proof of payment for overdue invoice.doc

    • Size

      1.0MB

    • MD5

      fef57f1f8bc2bc336fa0fe4f1d5e3f30

    • SHA1

      c0169f4d359c5e889d6dc19a3559e1a4dd8bacc8

    • SHA256

      ef5b81d7eebf08ed869799e9022ca82ff0a5c781b72bb6652fbc1fe7f0e4ebcc

    • SHA512

      0009f9fb516136f198b09e5a64fa128be5d4aa1442a1d0d48a8308326c36ff6d2f9bbe394bbeb25245899dc65732f42bd1183770d1aba57ec0ef49c137fc1a4b

    Score
    10/10
    formbookratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks