General

  • Target

    Aztexnika Ltd BAKU Order.xls

  • Size

    1.5MB

  • Sample

    221206-hr3l6ade27

  • MD5

    0096434371fec7c2352199a7c5d746d8

  • SHA1

    42d939a4fb5bd3ab37b20239d181cac781b9ec60

  • SHA256

    13cdbb613bb0df701013068c650cf252acfbd5034710710ab099d7c75fd41d30

  • SHA512

    c684c087e78df4bc1e904f66bbd38b497e3475e41ea5a1db3ec847ffdb11b267a368810c6dc4ec8cbada53c365b30d318e6c169d7d5611b572ac9d0b2fd69029

  • SSDEEP

    24576:XzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDWmhxr5XXXXXXXXXXXXUXXXXXXXrXXX/:YG8VBQ6Q

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Targets

    • Target

      Aztexnika Ltd BAKU Order.xls

    • Size

      1.5MB

    • MD5

      0096434371fec7c2352199a7c5d746d8

    • SHA1

      42d939a4fb5bd3ab37b20239d181cac781b9ec60

    • SHA256

      13cdbb613bb0df701013068c650cf252acfbd5034710710ab099d7c75fd41d30

    • SHA512

      c684c087e78df4bc1e904f66bbd38b497e3475e41ea5a1db3ec847ffdb11b267a368810c6dc4ec8cbada53c365b30d318e6c169d7d5611b572ac9d0b2fd69029

    • SSDEEP

      24576:XzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDWmhxr5XXXXXXXXXXXXUXXXXXXXrXXX/:YG8VBQ6Q

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks