Overview

overview

10

Static

static

PO-AWSCOP.xlsx

windows7_x64

10

PO-AWSCOP.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO-AWSCOP.xlsx

  • Size

    1.2MB

  • Sample

    210812-j94x8xe8es

  • MD5

    d412ca9b87a56bffb27f3f8479e10aef

  • SHA1

    af824f6bcbf67326b92ae2513f3251986fd19c59

  • SHA256

    82b5b3932d32d3c91730bad9dda00f872835609cbc922fc4e70dbf2d21f8c52a

  • SHA512

    2df2f1380982545b9480e64fef69b0c497e39930be8c0bb38a03c51042e501fd15a501389c91405f5f3c46c33bf310a3afb89652d4ef401598f9469d58759cf2

Score
10/10
formbookdd2vratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd2v

C2

http://www.fortmyerscruisevacation.com/dd2v/

Decoy

jkrqzmeyd.icu

cbluedottvwdshop.com

yhchen.space

premierhealthnwellness.com

szkuyaju.com

harvestmoonloans.net

dadematerial.com

mariaclarahairstudio.com

hwunvy.online

puloutjbmere.com

kossu1989.com

dubbedos.com

ncylis.com

hybrid-sol.com

travelature.com

gracefulcounts.com

66secretgarden.com

eslonyourcell.com

wisersponsorship.com

sepn3.com

Targets

    • Target

      PO-AWSCOP.xlsx

    • Size

      1.2MB

    • MD5

      d412ca9b87a56bffb27f3f8479e10aef

    • SHA1

      af824f6bcbf67326b92ae2513f3251986fd19c59

    • SHA256

      82b5b3932d32d3c91730bad9dda00f872835609cbc922fc4e70dbf2d21f8c52a

    • SHA512

      2df2f1380982545b9480e64fef69b0c497e39930be8c0bb38a03c51042e501fd15a501389c91405f5f3c46c33bf310a3afb89652d4ef401598f9469d58759cf2

    Score
    10/10
    formbookdd2vratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks