Overview

overview

10

Static

static

WPS- 3668-2021.xlsx

windows7_x64

10

WPS- 3668-2021.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WPS- 3668-2021.xlsx

  • Size

    2.1MB

  • Sample

    211015-k17nksbeak

  • MD5

    caa7649ae24eafae30470a408b885c49

  • SHA1

    d73e639c9e2d8bc4bef809d2aea88e820be04b94

  • SHA256

    281d5d2e057a2ecca94356372c1aa859fbbcd42db008ba2be42b85586f1b39b6

  • SHA512

    89ca7dbc3cd1d384073e118858ec501059d0fd4c65df2616f5bce64507dd0401ffd15dfa6103ab19d60286982965d7481ab1a778d9c8f9796840dd4fba69df95

Score
10/10
formbooknk6lratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nk6l

C2

http://www.rthearts.com/nk6l/

Decoy

cbnextra.com

entitysystemsinc.com

55midwoodave.com

ebelizzi.com

khojcity.com

1527brokenoakdrive.site

housinghproperties.com

ratiousa.com

lrcrepresentacoes.net

tocoec.net

khadamatdemnate.com

davidkastner.xyz

gardeniaresort.com

qiantangguoji.com

visaprepaidprocessinq.com

cristinamadara.com

semapisus.xyz

mpwebagency.net

alibabasdeli.com

gigasupplies.com

Targets

    • Target

      WPS- 3668-2021.xlsx

    • Size

      2.1MB

    • MD5

      caa7649ae24eafae30470a408b885c49

    • SHA1

      d73e639c9e2d8bc4bef809d2aea88e820be04b94

    • SHA256

      281d5d2e057a2ecca94356372c1aa859fbbcd42db008ba2be42b85586f1b39b6

    • SHA512

      89ca7dbc3cd1d384073e118858ec501059d0fd4c65df2616f5bce64507dd0401ffd15dfa6103ab19d60286982965d7481ab1a778d9c8f9796840dd4fba69df95

    Score
    10/10
    formbooknk6lratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks