Overview

overview

10

Static

static

Order list.rtf

windows7-x64

10

Order list.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order list.doc

  • Size

    32KB

  • Sample

    221206-nz6axaef99

  • MD5

    4fb9a0f253fae2dcd2ebd9327855706e

  • SHA1

    61f9c00a4f2cb2c5acefc497bbe9c035ef4b5b8b

  • SHA256

    306caca869e40f7d5a867f3ab7e91493886210888715b26f55578517a75889ad

  • SHA512

    425f9fdf36be24da077f907cfda97c7dd4f24a8995cf2902bdd0526490667e7efc5c8387c294a279fd457f833fa660d0067d42282096b2bb15a9cd16415e9ef0

  • SSDEEP

    768:XFx0XaIsnPRIa4fwJMFM4BZj163DLZQexNoGF88fVvif:Xf0Xvx3EM3BZY332ANdvif

Score
10/10
formbookw086ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

w086

Decoy

F6jSz+l9QmYXguG/xUipf/6ixrik

cQZre8twfBVOOJgLenGTGA==

pG5kW2/wqwEOCVxZ

KORXeYwt7wF8J3BR

HL0ZdBMjeHet

TR57b4Yi6wJ8J3BR

fRyK2yaqeDRGHiQTTw==

RwhsqfRxABNZS59wenGTGA==

GuZaY4H4ahcWKjUdVg==

I5C4/Wyz3fglj+o=

Te5QPEu3NjZ0P58LenGTGA==

M9YJLwifZIi9pfnj2Nj/kA6+ZlU=

c/JFdRndG8f/HiQTTw==

nMmcD1UjeHet

QWR7+9Rh8/l8J3BR

9MD+BzOyI6mXtM4w6LMyEA==

WABgaYPqdJzl2TviGbdH

02OexRebqj3+U2kXhQ0=

j17M2R3/fQwFHiQTTw==

dQpReYss5/l8J3BR

Targets

    • Target

      Order list.doc

    • Size

      32KB

    • MD5

      4fb9a0f253fae2dcd2ebd9327855706e

    • SHA1

      61f9c00a4f2cb2c5acefc497bbe9c035ef4b5b8b

    • SHA256

      306caca869e40f7d5a867f3ab7e91493886210888715b26f55578517a75889ad

    • SHA512

      425f9fdf36be24da077f907cfda97c7dd4f24a8995cf2902bdd0526490667e7efc5c8387c294a279fd457f833fa660d0067d42282096b2bb15a9cd16415e9ef0

    • SSDEEP

      768:XFx0XaIsnPRIa4fwJMFM4BZj163DLZQexNoGF88fVvif:Xf0Xvx3EM3BZY332ANdvif

    Score
    10/10
    formbookw086ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks