Overview

overview

10

Static

static

DHL_AWB_NO...1.xlsx

windows7_x64

10

DHL_AWB_NO...1.xlsx

windows10-2004_x64

1

decrypted.xlsx

windows7_x64

10

decrypted.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DHL_AWB_NO#907853880911.xlsx

  • Size

    183KB

  • Sample

    220512-hqxdraahb6

  • MD5

    bece4088b65375dedc691a405346fd23

  • SHA1

    8460d896a3fc1adc72a28906421866bfb1d28605

  • SHA256

    38ae577459ca9c000a1a5ae910e9b1768480a97aba71835caaa48ffdddc7622d

  • SHA512

    42d0ed9ec6943231052f342a84ba2276e08a4e23c85f30fee0ba2de7b6785d2f35bb97a15145526b7ef43488172b5f3ef95b9941d16291a548780be48af2ca9d

Score
10/10
formbookfw02ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Targets

    • Target

      DHL_AWB_NO#907853880911.xlsx

    • Size

      183KB

    • MD5

      bece4088b65375dedc691a405346fd23

    • SHA1

      8460d896a3fc1adc72a28906421866bfb1d28605

    • SHA256

      38ae577459ca9c000a1a5ae910e9b1768480a97aba71835caaa48ffdddc7622d

    • SHA512

      42d0ed9ec6943231052f342a84ba2276e08a4e23c85f30fee0ba2de7b6785d2f35bb97a15145526b7ef43488172b5f3ef95b9941d16291a548780be48af2ca9d

    Score
    10/10
    formbookfw02ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      decrypted

    • Size

      177KB

    • MD5

      aa4955a1f9f886e93ee58db40340f6df

    • SHA1

      617e147e2b7b552c98d32f55407f838b34c84f92

    • SHA256

      8ff5e67aced69f849f9fa21e6c63085aa2882a77280ffae6eacd300ab3b0ba94

    • SHA512

      ea229f2c51a700a6372d7e3b341cf654769c448d56748edd4dbf330c464c819e465be08744d2addcdcbc509967a03df9e60c2f9e0bf2e4a9ec9297402c20f046

    Score
    10/10
    formbookfw02ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

2
T1064

Exploitation for Client Execution

2
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

2
T1064

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

6
T1082

Query Registry

4
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks