General

  • Target

    LTL20I_order.xlsx

  • Size

    255KB

  • Sample

    220615-w4b7maagaj

  • MD5

    bc64945d52b06b5a7f2259652722b4e6

  • SHA1

    3e67f1d30e44c5f4b916165fb17944a168790b3b

  • SHA256

    37321110b446c4565664a30d4729dfb08d8ee9a1d3b3c03a5203a851b831e0b2

  • SHA512

    bb3685e9dedff8bbf4d1ad8c5fdeacef1efd538045da508f3232b418848d4052eb233020301b633b6328ac6cf011cc3c93234af28a81eb069c99a81aaa6b8fa2

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s3s3

Decoy

tvielotus.com

teesta.xyz

talentrecruitor.com

pamaungipb.com

xn--90ahkh6a6b8b.site

910carolina.com

toyotaecoyouth-dev.com

invetnables.com

gdexc.com

ssw168.com

householdmould.com

mqttradar.xyz

t333c.com

thepausestudio.com

evershedsutherlands.com

asbdataplus.com

preddylilthingz.com

jepwu.com

tvlido.com

artovus.com

Targets

    • Target

      LTL20I_order.xlsx

    • Size

      255KB

    • MD5

      bc64945d52b06b5a7f2259652722b4e6

    • SHA1

      3e67f1d30e44c5f4b916165fb17944a168790b3b

    • SHA256

      37321110b446c4565664a30d4729dfb08d8ee9a1d3b3c03a5203a851b831e0b2

    • SHA512

      bb3685e9dedff8bbf4d1ad8c5fdeacef1efd538045da508f3232b418848d4052eb233020301b633b6328ac6cf011cc3c93234af28a81eb069c99a81aaa6b8fa2

    • Detect Neshta Payload

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Change Default File Association

1
T1042

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Collection

Data from Local System

1
T1005

Tasks