SALAMATH EXPORTS.docx

General
Target

SALAMATH EXPORTS.docx

Size

10KB

Sample

210914-t6dgcsbabp

Score
10 /10
MD5

12f193f5a91b18567a1dc4c652a9b9f4

SHA1

9c030151be689de05d2391114f437d748b13c8d8

SHA256

32cfaa88c450f72627f502fa72b50b21c3ae2d0199eebbd9f3f750945521678a

SHA512

ab3d112138c3e5e8b303a58ed35df967acdedd4f1e6c9efb419395c6ba6f0224f6ef2f5a429ebdf5842e59df9dcbf83f79f5ad5dd345a88e56efdc1cecb78112

Malware Config

Extracted

Rule Microsoft Office WebSettings Relationship
C2

http://cml.lol/tj7g80

Extracted

Family formbook
Version 4.1
Campaign m8g0
C2

http://www.corbvalperu.com/m8g0/

Decoy

exclusivecan.com

junzhesuji.com

acces-credit-mutuel.com

iknitvintage.com

solonmodelun.com

debekia.com

peanutskitchen.com

kamanantzin.com

personalmodeststyle.com

qo49.com

googman.site

maisonshahnaz.com

annaalexandrovich.com

californiacashcars.com

ncafashionboutique.com

nsu0.com

cloudfirstlender.com

allforchildren.net

vn80000.com

restroon.com

rpm555.com

yasminaaa.com

e-shopee.com

flasnlute.online

fact-about.com

laurielobdell.com

bokzer.com

digitalmarketex.com

gemmakamps.com

cbdely.com

originem.cat

sherifalleghenycounty.com

mymenageire.com

jtzaatbya.icu

akuluarabavar.com

thepartygod.com

rpf.xyz

adejareadebimpefoundation.com

meingutschein.gratis

bahisbeta131.com

xn--proteindnyam-klb.com

marketauto.uk

xn--mgbai9a7dqf7be.com

milk-espresso-bar.com

lincolnsquareseniorliving.com

tranvachthachcao2020.com

sreezna.com

sudaniamericancollective.com

iresistable.com

healthyhabitsdiary.com

Targets
Target

SALAMATH EXPORTS.docx

MD5

12f193f5a91b18567a1dc4c652a9b9f4

Filesize

10KB

Score
10 /10
SHA1

9c030151be689de05d2391114f437d748b13c8d8

SHA256

32cfaa88c450f72627f502fa72b50b21c3ae2d0199eebbd9f3f750945521678a

SHA512

ab3d112138c3e5e8b303a58ed35df967acdedd4f1e6c9efb419395c6ba6f0224f6ef2f5a429ebdf5842e59df9dcbf83f79f5ad5dd345a88e56efdc1cecb78112

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    Description

    suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    Tags

  • suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL

    Description

    suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL

    Tags

  • Formbook Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Abuses OpenXML format to download file from external location

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    10/10

                    behavioral2

                    1/10