General
-
Target
INVOICE56K.xlsx
-
Size
443KB
-
Sample
211028-lyxw2afhdl
-
MD5
4cdf1a31c469b31f3a8beb518ea7463c
-
SHA1
b44fb9c8b59ad5c465c9c30ada4f768247460c30
-
SHA256
c07f1a20f4ec699e3f2eedff1e2c08501ab1ab93d4651edac4fd0f950e02fb89
-
SHA512
762a1d304b1633cdf53c9dabd627e25ad5fc86cb7f5644178c9d7cc81b607db9d1e422a44fd5ea84217779c94a14459a2ddfcb9c41bb042267b30a90e5d74d5c
Malware Config
Extracted
formbook
4.1
hs3h
http://www.alefisrael.com/hs3h/
slairt.com
teresasellsflorida.com
resouthcarolina.com
npccfbf.com
hutshed.com
westatesmarking.com
rustmonkeys.com
kagawa-rentacar.com
easyvoip-system.com
admorinsulation.com
ericaleighjensen.com
zhonghaojiaju.net
apple-iphone.xyz
b0t.info
torgetmc.xyz
lawrencemargarse.com
6123655.com
macdonalds-delivery.com
cvpfl.com
ayudaparaturent.com
Targets
-
-
Target
INVOICE56K.xlsx
-
Size
443KB
-
MD5
4cdf1a31c469b31f3a8beb518ea7463c
-
SHA1
b44fb9c8b59ad5c465c9c30ada4f768247460c30
-
SHA256
c07f1a20f4ec699e3f2eedff1e2c08501ab1ab93d4651edac4fd0f950e02fb89
-
SHA512
762a1d304b1633cdf53c9dabd627e25ad5fc86cb7f5644178c9d7cc81b607db9d1e422a44fd5ea84217779c94a14459a2ddfcb9c41bb042267b30a90e5d74d5c
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-