Overview

overview

10

Static

static

AWB_NO_928...2.xlsx

windows7_x64

10

AWB_NO_928...2.xlsx

windows10-2004_x64

1

decrypted.xlsx

windows7_x64

10

decrypted.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AWB_NO_9284730932.xlsx

  • Size

    206KB

  • Sample

    220505-fzt9msaaam

  • MD5

    5d7eb39dcf8fb650cf9a5cb7f3c66f89

  • SHA1

    f73f4854f32b82851e6537758900541772c2181b

  • SHA256

    5d81ecea3ddb68a54c0bfdf6a5da1061ce81f3abb559032bf4cf1c412423454d

  • SHA512

    29621937e83117e08ac9d75148bcba58226c4b0d2ff3139af4e1b105862ed9ad5270fdb6fd353347ff48063edd15b6756402ae603bb72d1321c6a69565647b79

Score
10/10
formbookfw02ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Targets

    • Target

      AWB_NO_9284730932.xlsx

    • Size

      206KB

    • MD5

      5d7eb39dcf8fb650cf9a5cb7f3c66f89

    • SHA1

      f73f4854f32b82851e6537758900541772c2181b

    • SHA256

      5d81ecea3ddb68a54c0bfdf6a5da1061ce81f3abb559032bf4cf1c412423454d

    • SHA512

      29621937e83117e08ac9d75148bcba58226c4b0d2ff3139af4e1b105862ed9ad5270fdb6fd353347ff48063edd15b6756402ae603bb72d1321c6a69565647b79

    Score
    10/10
    formbookfw02ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      decrypted

    • Size

      200KB

    • MD5

      9772d97019deb626f2582bc1d9164ac5

    • SHA1

      6d929c049b0983c89edd5f2eb9caf30414e1f6d5

    • SHA256

      d252d20addae437f4ce01e2207c36a0b589633fb2f3128b4c6c450c0a01b2715

    • SHA512

      3a53cf67b02b7d20c7d3dd659844633c50a0f2ede46286c98935f2d780d2c858998ac7a9b448750f6dbf75cb7d124d0555bbb38af07573f74858f93e58ee2fae

    Score
    10/10
    formbookfw02ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

2
T1064

Exploitation for Client Execution

2
T1203

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Scripting

2
T1064

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

7
T1082

Query Registry

4
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks