Overview

overview

10

Static

static

SHIPMENT D...S.xlsx

windows7_x64

10

SHIPMENT D...S.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SHIPMENT DOCUMENTS.xlsx

  • Size

    98KB

  • Sample

    211008-g935zadfbk

  • MD5

    7098e348ff955b6109ef878f4ebf15b1

  • SHA1

    d9a50c00391cdec6295cda82563360d2e819fbbf

  • SHA256

    2c4a23d5598d7ed40b574a4bf0b835c6185c57f15677fbf37ec9192affe26d2f

  • SHA512

    56107862571bd5924325c8a59e05ea6ed97e4df793203921e17634bcbba06b7bd12bfe63110fec519012be8ba50fee6e7881078cd16fd84cd0b36759a4273edb

Score
10/10
formbookkzk9ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kzk9

C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

Targets

    • Target

      SHIPMENT DOCUMENTS.xlsx

    • Size

      98KB

    • MD5

      7098e348ff955b6109ef878f4ebf15b1

    • SHA1

      d9a50c00391cdec6295cda82563360d2e819fbbf

    • SHA256

      2c4a23d5598d7ed40b574a4bf0b835c6185c57f15677fbf37ec9192affe26d2f

    • SHA512

      56107862571bd5924325c8a59e05ea6ed97e4df793203921e17634bcbba06b7bd12bfe63110fec519012be8ba50fee6e7881078cd16fd84cd0b36759a4273edb

    Score
    10/10
    formbookkzk9ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks