Overview

overview

10

Static

static

Revised PO...00.xls

windows7-x64

10

Revised PO...00.xls

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Revised PO1KT762000.xls

  • Size

    1.5MB

  • Sample

    221205-hhgy4aeb93

  • MD5

    843c4da4aee00e6b09c25094ea9d58d3

  • SHA1

    1d28b92e837b25bd521fd6658380284112a2ceb3

  • SHA256

    12d9f677ce3ebfccf60ffa363ee78d8de4e7846f1511a67c25b84bdcb25edad7

  • SHA512

    e9f34a1f7804a28f97f8cf1dad95ed1c4b2a664b53e61b4ffbc1bd3d9aa8f7c51b85c29b204493806696d04fb4e4c88b434f443646cfb4352f6eb935f955aaab

  • SSDEEP

    24576:ZzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDvmV8r5XXXXXXXXXXXXUXXXXXXXrXXXZ:64oMXXtnYCX

Score
10/10
formbookdv22ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv22

Decoy

ivk-muc.com

theplantgranny.net

efefefficient.buzz

car-deals-87506.com

yangcongzhibo.net

empiralventures.com

latexpillo.com

ferramentafivizzanese.shop

kx1553.com

timamollo.africa

paran6787.net

fabicilio.online

kreativnettchen.shop

manakamana.co.uk

andreapeverelli.shop

jianf.site

kmqan.xyz

aoshilang.com

dnsmctmu.com

pumpkinsmp.net

Targets

    • Target

      Revised PO1KT762000.xls

    • Size

      1.5MB

    • MD5

      843c4da4aee00e6b09c25094ea9d58d3

    • SHA1

      1d28b92e837b25bd521fd6658380284112a2ceb3

    • SHA256

      12d9f677ce3ebfccf60ffa363ee78d8de4e7846f1511a67c25b84bdcb25edad7

    • SHA512

      e9f34a1f7804a28f97f8cf1dad95ed1c4b2a664b53e61b4ffbc1bd3d9aa8f7c51b85c29b204493806696d04fb4e4c88b434f443646cfb4352f6eb935f955aaab

    • SSDEEP

      24576:ZzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDvmV8r5XXXXXXXXXXXXUXXXXXXXrXXXZ:64oMXXtnYCX

    Score
    10/10
    formbookdv22ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Command-Line Interface

1
T1059

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks