Overview

overview

10

Static

static

10

invoice#20...#.docx

windows7-x64

10

invoice#20...#.docx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    invoice#2022091308##.docx.doc

  • Size

    10KB

  • Sample

    220919-htr87shcfj

  • MD5

    130181c1c46545bd9a2c6245e71ebb92

  • SHA1

    20e11cc3cf525647a14a5f5f2de8f3b76d7e8c2c

  • SHA256

    76d8c2850110df1226575166f39072edd1baeb1336e17a66333321b41c94bc3e

  • SHA512

    b036e240fac33e9b74fba4200b360e1cab67673c53e8deec76afbaeaadd144f8e4d80a262de5ff5da5730c93e3caf16c3cc85e452ca8c26e32b7e29e75d37324

  • SSDEEP

    192:ScIMmtPf+CUG/bA3/w2OrrdlJFmQDZ7rhhap30sXN:SPXumAOrjJFmIZfhMF/

Score
10/10
formbooksde7ratspywarestealertrojanwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://1806450061/...----------------------.................-----------------------......-------/...........77.doc

Extracted

Family

formbook

Version

4.1

Campaign

sde7

Decoy

lolfilmfestival.com

pousdaobosque.com

tangierfilm.com

valuedassist.com

qcrluxuryrentals.com

poc4cloudx.com

irizh.art

flowsever.com

serios-lifestyle.com

abc-diomain.com

bmwoemwarehouse.com

vivelamoda.com

thesycorax.online

goodjob129.com

hudyeanamaze.com

pabcp.com

millennialworkouts.com

gpcr-compound-library.com

rotyupin.xyz

hnkcsm.com

Targets

    • Target

      invoice#2022091308##.docx.doc

    • Size

      10KB

    • MD5

      130181c1c46545bd9a2c6245e71ebb92

    • SHA1

      20e11cc3cf525647a14a5f5f2de8f3b76d7e8c2c

    • SHA256

      76d8c2850110df1226575166f39072edd1baeb1336e17a66333321b41c94bc3e

    • SHA512

      b036e240fac33e9b74fba4200b360e1cab67673c53e8deec76afbaeaadd144f8e4d80a262de5ff5da5730c93e3caf16c3cc85e452ca8c26e32b7e29e75d37324

    • SSDEEP

      192:ScIMmtPf+CUG/bA3/w2OrrdlJFmQDZ7rhhap30sXN:SPXumAOrjJFmIZfhMF/

    Score
    10/10
    formbooksde7ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks