General

  • Target

    SecuriteInfo.com.Other.Malware-gen.29890.16438.xlsx

  • Size

    288KB

  • Sample

    221202-kerp8sab99

  • MD5

    8b330fca4e3f56131727b3fc246ea937

  • SHA1

    ee2f2a899e8f2ee68a1b1bbcf3d54625682944f0

  • SHA256

    489e6a77763d56312fa2f10bf16dda809618217106b58709e29ccd8fed01a9a6

  • SHA512

    c489c96918d453e1527df509d9dce4a853e00764957777f5b38d226fd7dc978ec0ca410f9a76b80d8966a92ae6611ceaee5aa0673fea39713bf27bef68b7387c

  • SSDEEP

    6144:P/uZ+RwPONXoRjDhIcp0fDlavx+W26nAKGy0PQmU1Nd00lzL3:PFQmUdFB

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

us90

Decoy

1expresno.app

thepsychic.africa

burjbinghattitower.com

hotelurgell.com

goldenassistant.com

ecovod-servise.ru

kbjnonprofit.com

dope.trade

babylon-it.net

dsatyui.xyz

myexpertisebybbl.app

2185866.com

inboxwired.xyz

lamy.life

gic-invest.info

eliteconstructionsni.co.uk

lamygeo.com

courean.space

cremation-services-75688.com

fapearte.com

Targets

    • Target

      SecuriteInfo.com.Other.Malware-gen.29890.16438.xlsx

    • Size

      288KB

    • MD5

      8b330fca4e3f56131727b3fc246ea937

    • SHA1

      ee2f2a899e8f2ee68a1b1bbcf3d54625682944f0

    • SHA256

      489e6a77763d56312fa2f10bf16dda809618217106b58709e29ccd8fed01a9a6

    • SHA512

      c489c96918d453e1527df509d9dce4a853e00764957777f5b38d226fd7dc978ec0ca410f9a76b80d8966a92ae6611ceaee5aa0673fea39713bf27bef68b7387c

    • SSDEEP

      6144:P/uZ+RwPONXoRjDhIcp0fDlavx+W26nAKGy0PQmU1Nd00lzL3:PFQmUdFB

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks