Overview

overview

10

Static

static

document_00980.rtf

windows7-x64

10

document_00980.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    document_00980.doc

  • Size

    18KB

  • Sample

    221123-j6qrksbh9s

  • MD5

    aff328a66fdc5b3e1233e34ea52b5210

  • SHA1

    944592196bd7042fe76dd72af790be102106e79a

  • SHA256

    1407bcb68789cb9850c5006301431cc9d1536cf6c8e63a97eb50ba11cd724ddb

  • SHA512

    7bcc02d424de8e754aa4372ebd12cda6cd229053bf4f27ba4d9c712e41bf5ea064279677931bfb29532c43fced550cfbfd122fc4da531b34808f24e97ed82bac

  • SSDEEP

    384:J43W5XH6i1kVYAlJGusEGKVOWQn5sQwzFz6ty1JCeVhSRK6XMu6:em5XHf2VYeUusEGKVdQuVzR6U1JHhmXG

Score
10/10
formbookdcn0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Targets

    • Target

      document_00980.doc

    • Size

      18KB

    • MD5

      aff328a66fdc5b3e1233e34ea52b5210

    • SHA1

      944592196bd7042fe76dd72af790be102106e79a

    • SHA256

      1407bcb68789cb9850c5006301431cc9d1536cf6c8e63a97eb50ba11cd724ddb

    • SHA512

      7bcc02d424de8e754aa4372ebd12cda6cd229053bf4f27ba4d9c712e41bf5ea064279677931bfb29532c43fced550cfbfd122fc4da531b34808f24e97ed82bac

    • SSDEEP

      384:J43W5XH6i1kVYAlJGusEGKVOWQn5sQwzFz6ty1JCeVhSRK6XMu6:em5XHf2VYeUusEGKVdQuVzR6U1JHhmXG

    Score
    10/10
    formbookdcn0ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks