Overview

overview

10

Static

static

AWB_NO_928...2.xlsx

windows7_x64

10

AWB_NO_928...2.xlsx

windows10-2004_x64

1

decrypted.xlsx

windows7_x64

10

decrypted.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AWB_NO_9284730932.xlsx

  • Size

    206KB

  • Sample

    220504-hn8c8sdbg4

  • MD5

    ac51ee7895bdd36274338052fe6eb603

  • SHA1

    43386f7306264f0641d4fc7dac0f4759ad3b8d0c

  • SHA256

    877d48860111e3ddad04e136fffe054929e54d8d31444b84fe82f1f43b05518c

  • SHA512

    745a2adabd5fe71f349fd3863c5101ac8f253312da85aba87868636beb9bd37b269838b36d1ae967819e27f6b7f3f6b1ab282389c3ffc83e6d112868904df73b

Score
10/10
formbookfw02ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Targets

    • Target

      AWB_NO_9284730932.xlsx

    • Size

      206KB

    • MD5

      ac51ee7895bdd36274338052fe6eb603

    • SHA1

      43386f7306264f0641d4fc7dac0f4759ad3b8d0c

    • SHA256

      877d48860111e3ddad04e136fffe054929e54d8d31444b84fe82f1f43b05518c

    • SHA512

      745a2adabd5fe71f349fd3863c5101ac8f253312da85aba87868636beb9bd37b269838b36d1ae967819e27f6b7f3f6b1ab282389c3ffc83e6d112868904df73b

    Score
    10/10
    formbookfw02ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      decrypted

    • Size

      199KB

    • MD5

      045fef4f9dae5162449cb0dadbf82df1

    • SHA1

      6a26ce7489ad95c4fbae05df9d268ff5ceae5498

    • SHA256

      bddcd8a65e3a8a5bccf3d39865ed76e7f69e357ca0094b8324f1f3501b975c91

    • SHA512

      2d04bfbbe7036dea4e6ae2def0de54fcdecf118d2ec3bc509ecbbd13587f04f50b0a3970eedc682dc77eb1704248484d954612ac7065786e4f86c5e35ae4c222

    Score
    10/10
    formbookfw02ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

2
T1064

Exploitation for Client Execution

2
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

2
T1064

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

6
T1082

Query Registry

4
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks