PO doc 42782.xlsx

General
Target

PO doc 42782.xlsx

Size

369KB

Sample

211021-wlbhdabear

Score
10 /10
MD5

9c5486b2167c91562d09db0f5b1025e2

SHA1

535baeb13752700a26bda678a6c85d003db29397

SHA256

bc081b96be044e4fd5b0d0a48151aac96251ba275c9a66e9add9daf1d2e12380

SHA512

975cc30ee83aee5feb1987321134599d97c5e1a12c739b5e1efaf627879c90ce5e5ca8fbc919c1a4fe4afe07e03e71c75f62e98c81e3871b880eb094f389ad8c

Malware Config

Extracted

Family formbook
Version 4.1
Campaign kzk9
C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

self-care360.com

foreignexchage.com

loan-stalemate.info

hrsimrnsingh.com

laserobsession.com

primetimesmagazine.com

teminyulon.xyz

kanoondarab.com

alpinefall.com

tbmautosales.com

4g2020.com

libertyquartermaster.com

flavorfalafel.com

generlitravel.com

solvedfp.icu

jamnvibez.com

zmx258.com

doudiangroup.com

dancecenterwest.com

ryantheeconomist.com

beeofthehive.com

bluelearn.world

vivalasplantas.com

yumiacraftlab.com

shophere247365.com

enjoybespokenwords.com

windajol.com

ctgbazar.xyz

afcerd.com

dateprotect.com

Targets
Target

PO doc 42782.xlsx

MD5

9c5486b2167c91562d09db0f5b1025e2

Filesize

369KB

Score
10 /10
SHA1

535baeb13752700a26bda678a6c85d003db29397

SHA256

bc081b96be044e4fd5b0d0a48151aac96251ba275c9a66e9add9daf1d2e12380

SHA512

975cc30ee83aee5feb1987321134599d97c5e1a12c739b5e1efaf627879c90ce5e5ca8fbc919c1a4fe4afe07e03e71c75f62e98c81e3871b880eb094f389ad8c

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral2

                    1/10