Overview

overview

10

Static

static

8

PI.xls

windows7-x64

10

PI.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PI.xls

  • Size

    572KB

  • Sample

    221125-nlj6hsgg6z

  • MD5

    bb4c1fc0513552cb4a5845d8acad983c

  • SHA1

    176b67e99bb252345bf71b30e909a47f6f95333d

  • SHA256

    9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca

  • SHA512

    d6c0db3f2bb3bc1fcdf2f3dd42f7e8f4971b1163c219e7482734ca8feca0d2211fa0089096d0cf3a093b076898b4b260b8e48f271a27e75cff592744b47f0ace

  • SSDEEP

    12288:l5UMHq/88o5zJOcVLEP9iEtHlifM9fGaHC:l2M2C5zJwbtHv9fGa

Score
10/10
formbooknursmacromacro_on_actionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nurs

Decoy

caixinhascomcarinho.com

abinotools.com

oporto-tours.com

iruos.com

yesmamawinebar.com

wwwscu.com

habit2impact.com

antigenresearch.com

ux4space.com

diarypisces.com

cryptopers.com

lovingmoreband.com

beerwars.net

ascariproject.site

livesoccerhd.info

bluestardivingschool.com

pluik.com

snorrky.space

lcoi9.com

phantomxr.com

Targets

    • Target

      PI.xls

    • Size

      572KB

    • MD5

      bb4c1fc0513552cb4a5845d8acad983c

    • SHA1

      176b67e99bb252345bf71b30e909a47f6f95333d

    • SHA256

      9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca

    • SHA512

      d6c0db3f2bb3bc1fcdf2f3dd42f7e8f4971b1163c219e7482734ca8feca0d2211fa0089096d0cf3a093b076898b4b260b8e48f271a27e75cff592744b47f0ace

    • SSDEEP

      12288:l5UMHq/88o5zJOcVLEP9iEtHlifM9fGaHC:l2M2C5zJwbtHv9fGa

    Score
    10/10
    formbooknursratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks