General

  • Target

    new PO.doc

  • Size

    11KB

  • Sample

    220127-qacneadeb4

  • MD5

    e3d32174d143f46aaf7b43e6862486a6

  • SHA1

    d935eb9f53e0abface9c121fbd7e49a25937711b

  • SHA256

    ed0af10c135f953a2099dee2aad9ef39fbd2c4b942a0bbeaea1e1bfe341a0d7c

  • SHA512

    5e57067080c9280b034af90f9d42085103a407d5c9487b2c5b720a105d01b9f7033d9a5ac7d1246adcca2c049cefd3b6599b4a0c41c0451da01e7244983c6091

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fezu

Decoy

palisadeshiking.com

lusteror.com

blogmisaficiones.com

firstprinciplesteam.com

theindoorfarmer.info

sddn55.xyz

womensclothingonlineshop.com

amourneim.com

getlumichargeserver.com

mynegociodev.com

xn--riq159j.com

the-social-hub.com

buypremiumvpn.xyz

brightnes.info

catmanshopper.com

michellepalacdesigns.com

moveventurecapital.com

nzhzygba.com

papahungry.com

electric-classic-bike.com

Targets

    • Target

      new PO.doc

    • Size

      11KB

    • MD5

      e3d32174d143f46aaf7b43e6862486a6

    • SHA1

      d935eb9f53e0abface9c121fbd7e49a25937711b

    • SHA256

      ed0af10c135f953a2099dee2aad9ef39fbd2c4b942a0bbeaea1e1bfe341a0d7c

    • SHA512

      5e57067080c9280b034af90f9d42085103a407d5c9487b2c5b720a105d01b9f7033d9a5ac7d1246adcca2c049cefd3b6599b4a0c41c0451da01e7244983c6091

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks