General

  • Target

    d444933d181938739f4103751692eec9

  • Size

    187KB

  • Sample

    220606-zl735agaeq

  • MD5

    d444933d181938739f4103751692eec9

  • SHA1

    07936f8e30ce9404772465c32e43fe57cadadb04

  • SHA256

    a63c1bffdc0098cc497b3e02c967ea3bf200dc71742a521564ddc3d4e0b4be41

  • SHA512

    6fcf2eb4ae1d2641648b0c69842a4b24c6de0c4cd18a8ba5d452c171f9ce35022e04e114d1ef56a092d615ec96d20354fa66fccc4bc8ce244387aa13078ce11c

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g14s

Decoy

highnessmagazine.com

mokeyshop.com

remotedesktop.xyz

bicielettrica.xyz

addoncarzspa.com

ironesteem.com

asset-management-int.com

newportnewsaccounting.com

seriesyonkis2.com

hhivac.com

shrmgattlnow.com

yangzhenyu1.xyz

prettylittlenail.com

phyform.com

fggloballlc.com

gamecentertx.com

apriltoken.com

agalign.com

jointventurecoop.club

pengqianyue.tech

Targets

    • Target

      PO_6305977.xlsx

    • Size

      136KB

    • MD5

      bf43d6ef39e3ec80000aa17b5e1fa8ee

    • SHA1

      a42be18ff81fefbb550d3789770aabd7f7b0a4b2

    • SHA256

      a4c426f7bd1ff3a4292b8ee1e315d58f23a149901b1b245a0c774fa981d67afd

    • SHA512

      ad3977db3960acaf5f21185ea303831b90f6dba497d762079bda5db598db021453e354d521d35e8b6102812a50e3ed8d0ee649a4d45fc53005568c884c85b495

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks