Overview

overview

10

Static

static

Payment Advise.xlsx

windows7_x64

10

Payment Advise.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment Advise.xlsx

  • Size

    337KB

  • Sample

    211013-cswbksdcdl

  • MD5

    2a2774f89f6ac878975ef5227cc8a92b

  • SHA1

    bfbfd645fed06b7598bfe1f583d0ba04ad943b29

  • SHA256

    54167fce5b8273b4a21f9da96c32113ebe3e5831f51aebad3ae1e97d5165f263

  • SHA512

    58faad098728b89d6e99ee6e240846b04a35047e317791a47905cd2a6117a487e9ae9a6ab6d33d1405c6be4e7cdc71b18c512929c92ed3910b8554ffe13e929d

Score
10/10
formbookkzk9ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kzk9

C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

Targets

    • Target

      Payment Advise.xlsx

    • Size

      337KB

    • MD5

      2a2774f89f6ac878975ef5227cc8a92b

    • SHA1

      bfbfd645fed06b7598bfe1f583d0ba04ad943b29

    • SHA256

      54167fce5b8273b4a21f9da96c32113ebe3e5831f51aebad3ae1e97d5165f263

    • SHA512

      58faad098728b89d6e99ee6e240846b04a35047e317791a47905cd2a6117a487e9ae9a6ab6d33d1405c6be4e7cdc71b18c512929c92ed3910b8554ffe13e929d

    Score
    10/10
    formbookkzk9ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks