Overview

overview

10

Static

static

neworder.xlsx

windows7_x64

10

neworder.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    neworder.xlsx

  • Size

    229KB

  • Sample

    211117-j5ktyaefgp

  • MD5

    3b26583e226ee913636bfc612327560b

  • SHA1

    419df1d3da4ab66a8a72c783a87aed90baf2fa6f

  • SHA256

    d80780ff5af7a166070fa5608c29ff736ff1357349b3784eab3b05de71239184

  • SHA512

    90b0407fbd934b1a68d1471dfb51fa590a999619c734ce3950a4afd5318761928a53f11ac38ef97e05c4e078c2b353ae8ec36df8ccf2a2d0ac266bfd76f9a2c5

Score
10/10
formbook9gr5ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

9gr5

C2

http://www.cuteprofessionalscrubs.com/9gr5/

Decoy

newleafcosmetix.com

richermanscastle.com

ru-remonton.com

2diandongche.com

federaldados.design

jeffreycookweb.com

facecs.online

xmeclarn.xyz

olgasmith.xyz

sneakersonlinesale.com

playboyshiba.com

angelamiglioli.com

diitaldefynd.com

whenevergames.com

mtheartcustom.com

vitalactivesupply.com

twistblogr.com

xn--i8s140at3d6u7c.tel

baudelaireelhakim.com

real-estate-miami-searcher.site

Targets

    • Target

      neworder.xlsx

    • Size

      229KB

    • MD5

      3b26583e226ee913636bfc612327560b

    • SHA1

      419df1d3da4ab66a8a72c783a87aed90baf2fa6f

    • SHA256

      d80780ff5af7a166070fa5608c29ff736ff1357349b3784eab3b05de71239184

    • SHA512

      90b0407fbd934b1a68d1471dfb51fa590a999619c734ce3950a4afd5318761928a53f11ac38ef97e05c4e078c2b353ae8ec36df8ccf2a2d0ac266bfd76f9a2c5

    Score
    10/10
    formbook9gr5ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks