General

  • Target

    INVOICE44.xlsx

  • Size

    403KB

  • Sample

    211015-hjpekaafc4

  • MD5

    84abe73a24c3c85c72f96a7f74246ed4

  • SHA1

    bc2484c7dd276281462b1b8ce40e957b6192bd9b

  • SHA256

    b0bb44364e6069575ed370a6b2bef2953828d3391d16287d66efa3fdf03a3387

  • SHA512

    f41bd58e222ed91966e081d54c94035b085bbe5bc334d1a077c57ecbb71b3ffd6773bea0f405aa70ca3e512530ade10b5696a49a900c1800f75d23c13413bdf9

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hs3h

C2

http://www.alefisrael.com/hs3h/

Decoy

slairt.com

teresasellsflorida.com

resouthcarolina.com

npccfbf.com

hutshed.com

westatesmarking.com

rustmonkeys.com

kagawa-rentacar.com

easyvoip-system.com

admorinsulation.com

ericaleighjensen.com

zhonghaojiaju.net

apple-iphone.xyz

b0t.info

torgetmc.xyz

lawrencemargarse.com

6123655.com

macdonalds-delivery.com

cvpfl.com

ayudaparaturent.com

Targets

    • Target

      INVOICE44.xlsx

    • Size

      403KB

    • MD5

      84abe73a24c3c85c72f96a7f74246ed4

    • SHA1

      bc2484c7dd276281462b1b8ce40e957b6192bd9b

    • SHA256

      b0bb44364e6069575ed370a6b2bef2953828d3391d16287d66efa3fdf03a3387

    • SHA512

      f41bd58e222ed91966e081d54c94035b085bbe5bc334d1a077c57ecbb71b3ffd6773bea0f405aa70ca3e512530ade10b5696a49a900c1800f75d23c13413bdf9

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Looks for VirtualBox Guest Additions in registry

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Tasks