INQURI 32Y235.xlsx

Target

INQURI 32Y235.xlsx

Size

227KB

Sample

211113-j2ztpabgbp

Score

10 ^/10

MD5

8580b837d36557eb8c3f427d09516ac2

SHA1

6be039af32e0308859330f02679d90fcaf2c1a7a

SHA256

4d42a8ac965539112d0afb5f75d6c2c28f44d80d8441bdb3a4ab890275d9cd84

SHA512

7e98d79c29fa709417197a0bb06a9ae91a29daadb7787a932c2151c4cd16e587a6b24497b5a1e83bc502350339f11a43194c035a09e16613f3b717ba3b39bbe8

Extracted

Family	formbook
Version	4.1
Campaign	kzk9
C2	http://www.yourmajordomo.com/kzk9/ http://www.yourmajordomo.com/kzk9/
Decoy	tianconghuo.club 1996-page.com ourtownmax.net conservativetreehose.com synth.repair donnachicacreperia.com tentfull.com weapp.download surfersink.com gattlebusinessservices.com sebastian249.com anhphuc.company betternatureproducts.net defroplate.com seattlesquidsquad.com polarjob.com lendingadvantage.com angelsondope.com goportjitney.com tiendagrupojagr.com self-care360.com foreignexchage.com loan-stalemate.info hrsimrnsingh.com laserobsession.com primetimesmagazine.com teminyulon.xyz kanoondarab.com alpinefall.com tbmautosales.com 4g2020.com libertyquartermaster.com flavorfalafel.com generlitravel.com solvedfp.icu jamnvibez.com zmx258.com doudiangroup.com dancecenterwest.com ryantheeconomist.com beeofthehive.com bluelearn.world vivalasplantas.com yumiacraftlab.com shophere247365.com enjoybespokenwords.com windajol.com ctgbazar.xyz afcerd.com dateprotect.com northeastonmusic.com fourwaira.com forschungsraumtheater.com islameraloke.com mavericksone.com whguideinfrared.com akomandr.com experts-portail.com ambassadorworldnews.com case-kangaroo.com theglobalbusinessmentor.com igforoldpeople.com royalglossesbss.com merxeduct.com tianconghuo.club 1996-page.com ourtownmax.net conservativetreehose.com synth.repair donnachicacreperia.com tentfull.com weapp.download surfersink.com gattlebusinessservices.com sebastian249.com anhphuc.company betternatureproducts.net defroplate.com seattlesquidsquad.com polarjob.com lendingadvantage.com angelsondope.com goportjitney.com tiendagrupojagr.com self-care360.com foreignexchage.com loan-stalemate.info hrsimrnsingh.com laserobsession.com primetimesmagazine.com teminyulon.xyz kanoondarab.com alpinefall.com tbmautosales.com 4g2020.com libertyquartermaster.com flavorfalafel.com generlitravel.com solvedfp.icu jamnvibez.com zmx258.com doudiangroup.com dancecenterwest.com ryantheeconomist.com beeofthehive.com bluelearn.world vivalasplantas.com yumiacraftlab.com shophere247365.com enjoybespokenwords.com windajol.com ctgbazar.xyz afcerd.com dateprotect.com northeastonmusic.com fourwaira.com forschungsraumtheater.com islameraloke.com mavericksone.com whguideinfrared.com akomandr.com experts-portail.com ambassadorworldnews.com case-kangaroo.com theglobalbusinessmentor.com igforoldpeople.com royalglossesbss.com merxeduct.com

Target

INQURI 32Y235.xlsx

MD5

8580b837d36557eb8c3f427d09516ac2

Filesize

227KB

Score

10^/10

SHA1

6be039af32e0308859330f02679d90fcaf2c1a7a

SHA256

4d42a8ac965539112d0afb5f75d6c2c28f44d80d8441bdb3a4ab890275d9cd84

SHA512

7e98d79c29fa709417197a0bb06a9ae91a29daadb7787a932c2151c4cd16e587a6b24497b5a1e83bc502350339f11a43194c035a09e16613f3b717ba3b39bbe8

Signatures

Formbook
Description

Formbook is a data stealing malware which is capable of stealing data.
Tags

trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Description

suricata: ET MALWARE FormBook CnC Checkin (GET)
Tags

suricata
Formbook Payload
Tags

rat
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
TTPs

Scripting
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exploitation for Client Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

behavioral1

formbook kzk9 rat spyware stealer suricata trojan

10^/10

behavioral2

1^/10

Extracted

Tags

Signatures

Formbook

Description

Tags

suricata: ET MALWARE FormBook CnC Checkin (GET)

Description

Tags

Formbook Payload

Tags

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

TTPs

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2