General

  • Target

    PO530CB.docx.zip

  • Size

    7KB

  • Sample

    210914-qkwt2afgd7

  • MD5

    81cffef843647d970aa96e8597319992

  • SHA1

    ebe7945f92a0810faea759c75f9b4fc022e6e9e0

  • SHA256

    4962762dd4dcce5b1d4d8f7b85456bd60b1dba05acf1ca787a652b51e9264eb7

  • SHA512

    2c4fe72b6258db545303b962f1ee5d68b02abd6f1c9f093ba0965fc4eaddfb1bfd8cc08fcc6d7750dc7e0c584cf2fe87717539dfb9043c1fddd0b9cafac9494f

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://cml.lol/uy8fey

Extracted

Family

formbook

Version

4.1

Campaign

by65

C2

http://www.boygirlthing.com/by65/

Decoy

corporation-dtc.com

themarshallgroup100.com

charitypodcasts.com

greensystemwebstudio.com

jmmartijezyasociados.com

flyspares.com

leslyshop.com

changemeleadsource.com

hamiltonneighbourhood.com

hanlinny.com

slr-es.com

rebeccazqmolo.com

thehustlersapparel.com

samibaker.com

hatesk8.com

kkcindia.com

agirlsministry.com

lojashouse.com

jsm-property.com

savoryfarecafe.com

Targets

    • Target

      PO530CB.docx

    • Size

      10KB

    • MD5

      3309466af9b380f4d0a61e831da5dd5b

    • SHA1

      a3814f7118cfd43093a8150cb1deffb3481ac90b

    • SHA256

      7d112a9306ba2121e14956533476d52466a26a08300651d51ddeed035d9c8451

    • SHA512

      f062a4fd1d2097beffbba3667afcf738ac8b62107c84e2e267852bb6eb00d9a4a622a60766d6cda8d01a9fcbe2e8a3a0cfa55a04ff7478fd2d3f9296399c67fa

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks