General

  • Target

    AWB 520326756202 INV. SHIPPING DOCS.xlsx

  • Size

    464KB

  • Sample

    211028-ltzj3acad3

  • MD5

    f602fc5c03a11c23fcd0bedc5befee5d

  • SHA1

    45aa4a9fcec5b9e2a3b6791d7d2d2b3e59581e14

  • SHA256

    e505d7dc6ed7b8b3a043a6e6800532927212d35926722b19c8ee4cefd0513b41

  • SHA512

    740510f14ed1dbd5979af938536403054f6f225b9a97bb6973ffa25be028ee01e7cdf726b2a8bebef1707fb4801903a1220f38f1e43dd68b4c5934e41d6a212f

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kzk9

C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

Targets

    • Target

      AWB 520326756202 INV. SHIPPING DOCS.xlsx

    • Size

      464KB

    • MD5

      f602fc5c03a11c23fcd0bedc5befee5d

    • SHA1

      45aa4a9fcec5b9e2a3b6791d7d2d2b3e59581e14

    • SHA256

      e505d7dc6ed7b8b3a043a6e6800532927212d35926722b19c8ee4cefd0513b41

    • SHA512

      740510f14ed1dbd5979af938536403054f6f225b9a97bb6973ffa25be028ee01e7cdf726b2a8bebef1707fb4801903a1220f38f1e43dd68b4c5934e41d6a212f

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks