Overview

overview

10

Static

static

RFQ REF R2...2.xlsx

windows7_x64

10

RFQ REF R2...2.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ REF R22017582.xlsx

  • Size

    369KB

  • Sample

    211019-q9vchagggl

  • MD5

    8a959de9e01eae75fac8172084d75fc5

  • SHA1

    91bcc1a394d36aa8e1450b6cc397a754f51fa5c5

  • SHA256

    af0ab38a688694a2ea791589baec0094b22b7692600e1ce2da2ba375aad37c9b

  • SHA512

    ff961e3c11303af4d9f3847c9f6bd8fa62c99b444b699d8171c1596f81e5325e796d03d5d447c1d4f765c012ce1f50a0cdc85d72a96491aec2a12f4f18b264e8

Score
10/10
formbookog2wpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

og2w

C2

http://www.wakecountyrealtyexpert.com/og2w/

Decoy

patriotxf.com

thecreagles.com

riverdenim.com

cybqo.com

zzfangnan.com

empowerhis.com

resiliencewearmiami.com

myticketly.com

pistachio.land

13055.club

millennialsofacertainage.com

jnxdsgc.com

pixelsandplastic.digital

bugroster.com

chargedockz.com

gzyazsp.com

sintec-consultores.com

pourtonmobile.com

upmhss.com

amkanalrajhi.com

Targets

    • Target

      RFQ REF R22017582.xlsx

    • Size

      369KB

    • MD5

      8a959de9e01eae75fac8172084d75fc5

    • SHA1

      91bcc1a394d36aa8e1450b6cc397a754f51fa5c5

    • SHA256

      af0ab38a688694a2ea791589baec0094b22b7692600e1ce2da2ba375aad37c9b

    • SHA512

      ff961e3c11303af4d9f3847c9f6bd8fa62c99b444b699d8171c1596f81e5325e796d03d5d447c1d4f765c012ce1f50a0cdc85d72a96491aec2a12f4f18b264e8

    Score
    10/10
    formbookog2wpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks