Overview

overview

10

Static

static

RFQ- PO 31005.rtf

windows7_x64

10

RFQ- PO 31005.rtf

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ- PO 31005.doc

  • Size

    4KB

  • Sample

    220530-s5lwnseear

  • MD5

    3917a40caa205181ac6e73239ad3a8ee

  • SHA1

    bbb50ef471084e5e3c7fdb41f1c7cb078c1d9a33

  • SHA256

    f8d38396ca27592174d246b82f3fdfb2a1b0cecc296d67d236cf0502d6bf1ce8

  • SHA512

    6743d699dd0bd8dc8001f3912c2b87d7dada1f6a7bcd3b345b54bb97cd0ac4e90ccf9512e720f48b7cfad26ad8ebaf44313077c418b528c3ce18e0d000eed456

Score
10/10
formbooknk6lratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nk6l

Decoy

cbnextra.com

entitysystemsinc.com

55midwoodave.com

ebelizzi.com

khojcity.com

1527brokenoakdrive.site

housinghproperties.com

ratiousa.com

lrcrepresentacoes.net

tocoec.net

khadamatdemnate.com

davidkastner.xyz

gardeniaresort.com

qiantangguoji.com

visaprepaidprocessinq.com

cristinamadara.com

semapisus.xyz

mpwebagency.net

alibabasdeli.com

gigasupplies.com

Targets

    • Target

      RFQ- PO 31005.doc

    • Size

      4KB

    • MD5

      3917a40caa205181ac6e73239ad3a8ee

    • SHA1

      bbb50ef471084e5e3c7fdb41f1c7cb078c1d9a33

    • SHA256

      f8d38396ca27592174d246b82f3fdfb2a1b0cecc296d67d236cf0502d6bf1ce8

    • SHA512

      6743d699dd0bd8dc8001f3912c2b87d7dada1f6a7bcd3b345b54bb97cd0ac4e90ccf9512e720f48b7cfad26ad8ebaf44313077c418b528c3ce18e0d000eed456

    Score
    10/10
    formbooknk6lratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks