General

  • Target

    PO 2463826 .doc

  • Size

    1.7MB

  • Sample

    220126-rf5f2sdehk

  • MD5

    240abfcfdc4f102cd6ff271076e932b0

  • SHA1

    eeef2cd6c2d659418a3458240b3ceebdf2157a7a

  • SHA256

    4730874c95b68b146dc126f4b4a0ee2e1da32366e3027ae8021e2f5b7a7cdc48

  • SHA512

    72ab19e0963727917a145d32ab2641259895e96f7b30a8a7e2ebd75ebc2e403688711835f21cd3bbf9e4192a5a454e10c277173c54f42e622db0e565fcbd3168

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m8g9

Decoy

jimmycamel.com

bestinvilnius.com

diana-jarvis.com

manabitown.net

luxuryremyhair.com

cavesage.com

wholequote.space

truckdrivingfuture.xyz

ptcouponspt.com

stainthree-shift.space

universalstaffingpros.com

alibi-music.com

iqjlylro.com

pinterestservice.com

soolehayeiran.com

youngplatformpro.com

fidelitysafesecure.com

af258.wine

theblissdynamic.com

aliciabrooksenglishmastiff.com

Targets

    • Target

      PO 2463826 .doc

    • Size

      1.7MB

    • MD5

      240abfcfdc4f102cd6ff271076e932b0

    • SHA1

      eeef2cd6c2d659418a3458240b3ceebdf2157a7a

    • SHA256

      4730874c95b68b146dc126f4b4a0ee2e1da32366e3027ae8021e2f5b7a7cdc48

    • SHA512

      72ab19e0963727917a145d32ab2641259895e96f7b30a8a7e2ebd75ebc2e403688711835f21cd3bbf9e4192a5a454e10c277173c54f42e622db0e565fcbd3168

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks