Overview

overview

10

Static

static

2205821.xlsx

windows7_x64

10

2205821.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2205821.xlsx

  • Size

    227KB

  • Sample

    211110-rkrezsechm

  • MD5

    3baed0b944b707cfc4dbc55f04d7c060

  • SHA1

    cd3b1eeadef3c0fc996286270912b2d39b117d33

  • SHA256

    49c28f562c417590a96bb63b2ff2f3b763ec65347c103cee014044349be2dde5

  • SHA512

    b25622eb3fde2da917ebe757ef42ece5516f29ebfed679db09d0af56484a3e05f6f35c1bbccc7e1f6290b4af14702ee861a1ca40a26a797fc7d0664d8a6aece2

Score
10/10
formbookog2wratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

og2w

C2

http://www.celikkaya.xyz/og2w/

Decoy

drivenexpress.info

pdfproxy.com

zyz999.top

oceanserver1.com

948289.com

nubilewoman.com

ibizadiamonds.com

bosniantv-australia.com

juliehutzell.com

poshesocial.events

icsrwk.xyz

nap-con.com

womansslippers.com

invictusfarm.com

search-panel-avg-rock.rest

desencriptar.com

imperialexoticreptiles.com

agastify.com

strinvstr.com

julianapeloi.com

Targets

    • Target

      2205821.xlsx

    • Size

      227KB

    • MD5

      3baed0b944b707cfc4dbc55f04d7c060

    • SHA1

      cd3b1eeadef3c0fc996286270912b2d39b117d33

    • SHA256

      49c28f562c417590a96bb63b2ff2f3b763ec65347c103cee014044349be2dde5

    • SHA512

      b25622eb3fde2da917ebe757ef42ece5516f29ebfed679db09d0af56484a3e05f6f35c1bbccc7e1f6290b4af14702ee861a1ca40a26a797fc7d0664d8a6aece2

    Score
    10/10
    formbookog2wratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks