Overview

overview

10

Static

static

Specifications.xlsx

windows7_x64

10

Specifications.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Specifications.xlsx

  • Size

    369KB

  • Sample

    211021-wlbhdabeaq

  • MD5

    9abd666a51d09d4a0cb9d052f3195c06

  • SHA1

    89582118e5ef2d9323952f73c68280e4758c4022

  • SHA256

    20f79144ae40eeda47760ce798f28c98c93211f2ecc38e8a626760848bb9f3a1

  • SHA512

    5a3cde307f726f81962aecddd7c372501ba7752501721f276241e50021ccccf3ecdb831d84ca578ed69adc6fde156f144739f4bbbc80b8b4ffd7d163c14db0af

Score
10/10
formbookog2wpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

og2w

C2

http://www.wakecountyrealtyexpert.com/og2w/

Decoy

patriotxf.com

thecreagles.com

riverdenim.com

cybqo.com

zzfangnan.com

empowerhis.com

resiliencewearmiami.com

myticketly.com

pistachio.land

13055.club

millennialsofacertainage.com

jnxdsgc.com

pixelsandplastic.digital

bugroster.com

chargedockz.com

gzyazsp.com

sintec-consultores.com

pourtonmobile.com

upmhss.com

amkanalrajhi.com

Targets

    • Target

      Specifications.xlsx

    • Size

      369KB

    • MD5

      9abd666a51d09d4a0cb9d052f3195c06

    • SHA1

      89582118e5ef2d9323952f73c68280e4758c4022

    • SHA256

      20f79144ae40eeda47760ce798f28c98c93211f2ecc38e8a626760848bb9f3a1

    • SHA512

      5a3cde307f726f81962aecddd7c372501ba7752501721f276241e50021ccccf3ecdb831d84ca578ed69adc6fde156f144739f4bbbc80b8b4ffd7d163c14db0af

    Score
    10/10
    formbookog2wpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks