Overview

overview

10

Static

static

AWB BL CI ...nt.xls

windows7-x64

10

AWB BL CI ...nt.xls

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AWB BL CI Document.xls

  • Size

    761KB

  • Sample

    221121-shbgeseg76

  • MD5

    7c72863c8a8f132ea8ffa2d722893b4a

  • SHA1

    8f31f881f55f96542dbcc90a4f826a64b4dc4b89

  • SHA256

    b317746be65f640bf759bf554376733822291f763c3e9cca49d0c8ac4892e251

  • SHA512

    07f2b7062b424be260257392f2a624d8da9e1eef549f5644c6527ce1aede2121e9a25525ae527e6afb3f73dab46c0b3f77e228fe11316f61f6dbfda0b7c4511e

  • SSDEEP

    12288:ZIN3rDx7XXXXXXXXXXXXUXXXXXXXqXXXXXXXXiTmXbIN3rDx7XXXXXXXXXXXXUX2:or5XXXXXXXXXXXXUXXXXXXXqXXXXXXXk

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Targets

    • Target

      AWB BL CI Document.xls

    • Size

      761KB

    • MD5

      7c72863c8a8f132ea8ffa2d722893b4a

    • SHA1

      8f31f881f55f96542dbcc90a4f826a64b4dc4b89

    • SHA256

      b317746be65f640bf759bf554376733822291f763c3e9cca49d0c8ac4892e251

    • SHA512

      07f2b7062b424be260257392f2a624d8da9e1eef549f5644c6527ce1aede2121e9a25525ae527e6afb3f73dab46c0b3f77e228fe11316f61f6dbfda0b7c4511e

    • SSDEEP

      12288:ZIN3rDx7XXXXXXXXXXXXUXXXXXXXqXXXXXXXXiTmXbIN3rDx7XXXXXXXXXXXXUX2:or5XXXXXXXXXXXXUXXXXXXXqXXXXXXXk

    Score
    10/10
    formbookf4caratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks