CI&BL shipping documents.xlsx

General
Target

CI&BL shipping documents.xlsx

Size

311KB

Sample

211110-dqbd3adchq

Score
10 /10
MD5

bc374aadfcfd5dfafaa96a8461f109bf

SHA1

bdfb5c095a97035e29ac95a1f7cbf5f561224af8

SHA256

678d94aaf0de5200cbb7ec2d1829c4264019325a8d4f7000fc330d56844615a4

SHA512

7c396ac68292b98cac3195b410b7774a45fafc40e08a6f05351b2aa2b8da379d0c70829a46186d62d7388eb64c5861765db91d450daab3e2825863c93c5d9366

Malware Config

Extracted

Family formbook
Version 4.1
Campaign kzk9
C2

http://www.yourmajordomo.com/kzk9/
Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

self-care360.com

foreignexchage.com

loan-stalemate.info

hrsimrnsingh.com

laserobsession.com

primetimesmagazine.com

teminyulon.xyz

kanoondarab.com

alpinefall.com

tbmautosales.com

4g2020.com

libertyquartermaster.com

flavorfalafel.com

generlitravel.com

solvedfp.icu

jamnvibez.com

zmx258.com

doudiangroup.com

dancecenterwest.com

ryantheeconomist.com

beeofthehive.com

bluelearn.world

vivalasplantas.com

yumiacraftlab.com

shophere247365.com

enjoybespokenwords.com

windajol.com

ctgbazar.xyz

afcerd.com

dateprotect.com
Targets
Target

CI&BL shipping documents.xlsx

MD5

bc374aadfcfd5dfafaa96a8461f109bf

Filesize

311KB

Score
10/10
SHA1

bdfb5c095a97035e29ac95a1f7cbf5f561224af8

SHA256

678d94aaf0de5200cbb7ec2d1829c4264019325a8d4f7000fc330d56844615a4

SHA512

7c396ac68292b98cac3195b410b7774a45fafc40e08a6f05351b2aa2b8da379d0c70829a46186d62d7388eb64c5861765db91d450daab3e2825863c93c5d9366

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting

  • Suspicious use of SetThreadContext

Related Tasks

behavioral1behavioral2
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    1/10