Overview

overview

10

Static

static

PO doc 42782.xlsx

windows7_x64

10

PO doc 42782.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO doc 42782.xlsx

  • Size

    369KB

  • Sample

    211021-wlbhdabear

  • MD5

    9c5486b2167c91562d09db0f5b1025e2

  • SHA1

    535baeb13752700a26bda678a6c85d003db29397

  • SHA256

    bc081b96be044e4fd5b0d0a48151aac96251ba275c9a66e9add9daf1d2e12380

  • SHA512

    975cc30ee83aee5feb1987321134599d97c5e1a12c739b5e1efaf627879c90ce5e5ca8fbc919c1a4fe4afe07e03e71c75f62e98c81e3871b880eb094f389ad8c

Score
10/10
formbookkzk9ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kzk9

C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

Targets

    • Target

      PO doc 42782.xlsx

    • Size

      369KB

    • MD5

      9c5486b2167c91562d09db0f5b1025e2

    • SHA1

      535baeb13752700a26bda678a6c85d003db29397

    • SHA256

      bc081b96be044e4fd5b0d0a48151aac96251ba275c9a66e9add9daf1d2e12380

    • SHA512

      975cc30ee83aee5feb1987321134599d97c5e1a12c739b5e1efaf627879c90ce5e5ca8fbc919c1a4fe4afe07e03e71c75f62e98c81e3871b880eb094f389ad8c

    Score
    10/10
    formbookkzk9ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks