General

  • Target

    New order - Cleantech - DEC -P0 120522.xls

  • Size

    1.5MB

  • Sample

    221206-hrh8hsdd84

  • MD5

    3d495c348238d2b882dbd33e7c87b083

  • SHA1

    1333f588040498bd828c81f2a9090badd46ee54d

  • SHA256

    3912cd99823a4ab2c785ba3eb8de1a5253057c910880649ba54bc1d5ae06581c

  • SHA512

    3fc9108dc3030277ab29190878793558d43dd0d9da75b6063677fbc47d5160d0fa5dfa03cf828a3dc6b29373f8b09987aa8531c334fb817389e6e97297c98bdf

  • SSDEEP

    24576:9zxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDSmAUr5XXXXXXXXXXXXUXXXXXXXrXXXN:OKd4lesYb

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Targets

    • Target

      New order - Cleantech - DEC -P0 120522.xls

    • Size

      1.5MB

    • MD5

      3d495c348238d2b882dbd33e7c87b083

    • SHA1

      1333f588040498bd828c81f2a9090badd46ee54d

    • SHA256

      3912cd99823a4ab2c785ba3eb8de1a5253057c910880649ba54bc1d5ae06581c

    • SHA512

      3fc9108dc3030277ab29190878793558d43dd0d9da75b6063677fbc47d5160d0fa5dfa03cf828a3dc6b29373f8b09987aa8531c334fb817389e6e97297c98bdf

    • SSDEEP

      24576:9zxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDSmAUr5XXXXXXXXXXXXUXXXXXXXrXXXN:OKd4lesYb

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks