Overview

overview

10

Static

static

10

ORDER QUOTE.docx

windows7_x64

10

ORDER QUOTE.docx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER QUOTE.docx

  • Size

    10KB

  • Sample

    210922-wn3dwafheq

  • MD5

    eee70c12ab889fd6173de81fbc9a6817

  • SHA1

    673a841da220e5ba72e5f30d1d566569595ed352

  • SHA256

    7c41d53d6dd4f2979bfcdea462feef025b2f31cf55644f927ece5f4699a1b7a9

  • SHA512

    7647f0d5adcd468a6cbae4900ecb2887de0a0f89ba25893379f905f04b7b9ee0fa89af755c8cb1db8e4d613f11a8f9f80334de3e784677d1fac1ad51cc9db8d7

Score
10/10
formbookm8g0ratspywarestealersuricatatrojanwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://cml.lol/olxqqy

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://198.46.199.161/joo/vbc.exe

Extracted

Family

formbook

Version

4.1

Campaign

m8g0

C2

http://www.psicologarenatacruz.com/m8g0/

Decoy

trypapaya.pro

instructorcornernet.com

techadvisorsfl.com

raunnan.com

filestune.com

learnitanywhereskills.com

beaullife.com

getcovidwear.com

tkrbeautyinstitut.com

lisaphamkhai.com

iconicdds.com

ksoopawlas.com

testosteron.store

jctaketwo.com

awexz.online

onlinening.com

steelwerkschicago.com

lukakordic.com

expertsofcoaching.com

dashcca.com

Targets

    • Target

      ORDER QUOTE.docx

    • Size

      10KB

    • MD5

      eee70c12ab889fd6173de81fbc9a6817

    • SHA1

      673a841da220e5ba72e5f30d1d566569595ed352

    • SHA256

      7c41d53d6dd4f2979bfcdea462feef025b2f31cf55644f927ece5f4699a1b7a9

    • SHA512

      7647f0d5adcd468a6cbae4900ecb2887de0a0f89ba25893379f905f04b7b9ee0fa89af755c8cb1db8e4d613f11a8f9f80334de3e784677d1fac1ad51cc9db8d7

    Score
    10/10
    formbookm8g0ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks