Overview

overview

10

Static

static

Solink quo...2.xlsx

windows7_x64

10

Solink quo...2.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Solink quotation 001 56327 27.06.2022.xlsx

  • Size

    163KB

  • Sample

    220628-kbvmqagbcr

  • MD5

    8639b3fe327dffdd19d7b06f03aec4b3

  • SHA1

    63794504c8c28ae45c8e3be78defb5437de3a8b7

  • SHA256

    1b9b86b949cb2665f607902896b624fc29a185a451750c232cf88937286c1417

  • SHA512

    75079359e6a2bfc6279441e3d04a2047fa11d8380bad85548e84f49da8223c46dd10d7d9f44de762d8c8487d5fe091672682bc777dc9da19b82d49ac9958b6b1

Score
10/10
formbookba17ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ba17

Decoy

bearwant.com

sdsguanfang.com

steamcommunityvia.top

sugarplumtreasures.com

koronislakefishing.com

jmae.xyz

xhxnqemkiqe.xyz

playzcrew.com

zatwsbq.com

lankofix.com

sh-zhepeng.com

mibodamisxv.online

butterflyjewelry.store

finestrecitalto-spottoday.info

globomateria.com

royalmdarts.com

d4af10836709.com

shepwill.com

67aldrich.info

trustedmakers.club

Targets

    • Target

      Solink quotation 001 56327 27.06.2022.xlsx

    • Size

      163KB

    • MD5

      8639b3fe327dffdd19d7b06f03aec4b3

    • SHA1

      63794504c8c28ae45c8e3be78defb5437de3a8b7

    • SHA256

      1b9b86b949cb2665f607902896b624fc29a185a451750c232cf88937286c1417

    • SHA512

      75079359e6a2bfc6279441e3d04a2047fa11d8380bad85548e84f49da8223c46dd10d7d9f44de762d8c8487d5fe091672682bc777dc9da19b82d49ac9958b6b1

    Score
    10/10
    formbookba17ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks