General

  • Target

    RFQ2201002 PFK.xlsx

  • Size

    1.4MB

  • Sample

    220126-pnbsladbd3

  • MD5

    073a56cf012776f595d4a6b3fe8db7d9

  • SHA1

    af45c60581e83fa5397a555941881ff1348eaae8

  • SHA256

    7a5a6d15651f1da626bdf3859936a578e326fe9bae889a5424fae4ec553924ec

  • SHA512

    fbbcb7feeec63c0296e7c90c6a681c19a09c3a4b650a7982970a023946997bda4fd406ffb1c063a33786ac705c4c1c1f5da11b50dfe2a08f8422c63ef4d0c572

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h4d0

Decoy

onlinefinejewelry.com

samstringermusic.com

beam-lettings.info

optimumcoin.xyz

fasa.xyz

creativedime.com

eihncuz.online

griffin2008.top

europcarlive.com

jxhcar.com

museumsshop.international

bonolaboral-lnterbank.com

kelebandis.xyz

hiddenlakeranch.net

carelessyouth.com

jfkilfoil.store

potok-it-ua.site

magdulemediation.com

shakadal.xyz

coastconstructionfl.com

Targets

    • Target

      RFQ2201002 PFK.xlsx

    • Size

      1.4MB

    • MD5

      073a56cf012776f595d4a6b3fe8db7d9

    • SHA1

      af45c60581e83fa5397a555941881ff1348eaae8

    • SHA256

      7a5a6d15651f1da626bdf3859936a578e326fe9bae889a5424fae4ec553924ec

    • SHA512

      fbbcb7feeec63c0296e7c90c6a681c19a09c3a4b650a7982970a023946997bda4fd406ffb1c063a33786ac705c4c1c1f5da11b50dfe2a08f8422c63ef4d0c572

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks