Specifications.xlsx

General
Target

Specifications.xlsx

Size

369KB

Sample

211021-wlbhdabeaq

Score
10 /10
MD5

9abd666a51d09d4a0cb9d052f3195c06

SHA1

89582118e5ef2d9323952f73c68280e4758c4022

SHA256

20f79144ae40eeda47760ce798f28c98c93211f2ecc38e8a626760848bb9f3a1

SHA512

5a3cde307f726f81962aecddd7c372501ba7752501721f276241e50021ccccf3ecdb831d84ca578ed69adc6fde156f144739f4bbbc80b8b4ffd7d163c14db0af

Malware Config

Extracted

Family formbook
Version 4.1
Campaign og2w
C2

http://www.wakecountyrealtyexpert.com/og2w/

Decoy

patriotxf.com

thecreagles.com

riverdenim.com

cybqo.com

zzfangnan.com

empowerhis.com

resiliencewearmiami.com

myticketly.com

pistachio.land

13055.club

millennialsofacertainage.com

jnxdsgc.com

pixelsandplastic.digital

bugroster.com

chargedockz.com

gzyazsp.com

sintec-consultores.com

pourtonmobile.com

upmhss.com

amkanalrajhi.com

tenloe076.xyz

sisoow.quest

coil.company

suddennnnnnnnnnnn32.xyz

foolands.com

americanslinked.com

comprerapido.net

shock.agency

daomogul.com

brightsandstudio.net

paycourtf.com

cheaterbnuahe.xyz

atencionespecializada24.store

hyperado.com

tournusol.com

tamzeedhossain.xyz

h5aolyhh6.com

bytroletu.quest

ergobear.com

teamfsu.club

royallecleaning.com

sarrosh.com

cuvedevelopment.com

gb2022-club.com

liberbankrtes.com

journeyresearchstudy.com

laundryexpressoakland.com

mainmanmemories.com

learnliberate.com

syktxny.com

Targets
Target

Specifications.xlsx

MD5

9abd666a51d09d4a0cb9d052f3195c06

Filesize

369KB

Score
10 /10
SHA1

89582118e5ef2d9323952f73c68280e4758c4022

SHA256

20f79144ae40eeda47760ce798f28c98c93211f2ecc38e8a626760848bb9f3a1

SHA512

5a3cde307f726f81962aecddd7c372501ba7752501721f276241e50021ccccf3ecdb831d84ca578ed69adc6fde156f144739f4bbbc80b8b4ffd7d163c14db0af

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Tasks

                  static1

                  behavioral2

                  1/10