Purchase Order.doc

General
Target

Purchase Order.doc

Size

221KB

Sample

211021-z87qwabfem

Score
10 /10
MD5

42686e015262b24113364a15b0ee4983

SHA1

f15fc92c8fcdd53b212993b0f1bf12e68570e114

SHA256

59ec21c2cbea8337c61be946ea039cce2316085c64f83aff71e2fa2c72517104

SHA512

785f2eb844579705535b4c068759b67c25840f5ecab9033b15fa8645b1aabdea22bc598e6f0d2ca04fecb9dfade07c05b1a161d9c72c08b72b2e63b56510651a

Malware Config

Extracted

Family formbook
Version 4.1
Campaign jy0b
C2

http://www.filecrev.com/jy0b/

Decoy

lamejorimagen.com

mykabukibrush.com

modgon.com

barefoottherapeutics.com

shimpeg.net

trade-sniper.com

chiangkhancityhotel.com

joblessmoni.club

stespritsubways.com

chico-group.com

nni8.xyz

searchtypically.online

jobsyork.com

bestsales-crypto.com

iqmarketing.info

bullcityphotobooths.com

fwssc.icu

1oc87s.icu

usdiesel.xyz

secrets2optimumnutrition.com

charlotte-s-creations.com

homenetmidrand.com

sytypij.xyz

tapehitsscriptsparty.com

adelenashville.com

greendylife.com

agbqs.com

lilcrox.xyz

thepersonalevolutionmaven.com

graciasmiangel.com

heidisgifts.com

flchimneyspecialists.com

yorkrehabclinic.com

cent-pour-centsons.com

marcoislandsupsurf.net

expressdiagnostics.info

surferjackproductions.com

duscopy.store

uekra.tech

campaigncupgunplant.xyz

cheetahadvance.com

blickosinski.icu

laketacostahoe.com

drippysupplyco.com

isomassagegun.com

clarition.com

andrew-pillar.com

truthbudgeting.com

cloudfixr.com

cfasministries.com

Targets
Target

Purchase Order.doc

MD5

42686e015262b24113364a15b0ee4983

Filesize

221KB

Score
10 /10
SHA1

f15fc92c8fcdd53b212993b0f1bf12e68570e114

SHA256

59ec21c2cbea8337c61be946ea039cce2316085c64f83aff71e2fa2c72517104

SHA512

785f2eb844579705535b4c068759b67c25840f5ecab9033b15fa8645b1aabdea22bc598e6f0d2ca04fecb9dfade07c05b1a161d9c72c08b72b2e63b56510651a

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral2

                    1/10