Overview

overview

10

Static

static

PO-4015 DNX.rtf

windows7_x64

10

PO-4015 DNX.rtf

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO-4015 DNX.doc

  • Size

    2.2MB

  • Sample

    220131-h9ja8sgffq

  • MD5

    3f3c326776d1cca4140aec54899dd232

  • SHA1

    22f2608fde8860771b405b82bea6ec7b90aa2e13

  • SHA256

    a4f65315564c8a012c86e0f02d90d07246dbcf41347c37b93cad43b39d24f61e

  • SHA512

    703e07ea7cc623deb50fc76b5edda62e11e26c5ac37024accb5c35031c514ca13183998d2810097018118bf4ff8da98911ff4e3ba604a671c216a0b511da39b8

Score
10/10
formbookn2t4ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n2t4

Decoy

afvqag.icu

sharekhaneducation.co

celaty.xyz

charmingdat.com

trinitylegal.site

nuookh.site

stetnercreek.com

likeaduckinwater.xyz

yanhuan.icu

minxandmolly.com

tofindingwellness.com

sydneycemeteries.net

amethystwares.com

onglaprimaveradeljardin.online

majoroakdigital.com

xlr8s.net

jbrcvy.icu

decorator.company

compubonsai.com

seripo.com

Targets

    • Target

      PO-4015 DNX.doc

    • Size

      2.2MB

    • MD5

      3f3c326776d1cca4140aec54899dd232

    • SHA1

      22f2608fde8860771b405b82bea6ec7b90aa2e13

    • SHA256

      a4f65315564c8a012c86e0f02d90d07246dbcf41347c37b93cad43b39d24f61e

    • SHA512

      703e07ea7cc623deb50fc76b5edda62e11e26c5ac37024accb5c35031c514ca13183998d2810097018118bf4ff8da98911ff4e3ba604a671c216a0b511da39b8

    Score
    10/10
    formbookn2t4ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks