Overview

overview

10

Static

static

Transfer slip.xls

windows7-x64

10

Transfer slip.xls

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Transfer slip.xls

  • Size

    1.0MB

  • Sample

    221123-qxzfpaab6z

  • MD5

    e02848eb9256c23985ce2d92f1eb3fed

  • SHA1

    59070bd92b372770242c0d0fe7f1bfcf86df7e80

  • SHA256

    d66bc7fd9f24dcf99ceb2c76a3996903d94c260fff462dc2152c1e1d74e8a345

  • SHA512

    ed52ff8f2b97bf05decf84a0fe276afa0943bb95f1ab3ec6c7fd25ec1039e724325cfb6030d397f7aa7fd7b4004711cc0faa9647e3bb0c5a2024b12b987fa792

  • SSDEEP

    24576:1r5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXgm7r5XXXXXXXXXXXXUXXXXXXXSXXXXXF:V

Score
10/10
formbookdcn0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Targets

    • Target

      Transfer slip.xls

    • Size

      1.0MB

    • MD5

      e02848eb9256c23985ce2d92f1eb3fed

    • SHA1

      59070bd92b372770242c0d0fe7f1bfcf86df7e80

    • SHA256

      d66bc7fd9f24dcf99ceb2c76a3996903d94c260fff462dc2152c1e1d74e8a345

    • SHA512

      ed52ff8f2b97bf05decf84a0fe276afa0943bb95f1ab3ec6c7fd25ec1039e724325cfb6030d397f7aa7fd7b4004711cc0faa9647e3bb0c5a2024b12b987fa792

    • SSDEEP

      24576:1r5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXgm7r5XXXXXXXXXXXXUXXXXXXXSXXXXXF:V

    Score
    10/10
    formbookdcn0ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks