Overview

overview

10

Static

static

Angebot an...og.xls

windows7-x64

10

Angebot an...og.xls

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Angebot anfordernDE5538100- Musterkatalog.xls

  • Size

    1.6MB

  • Sample

    221210-krldzsfc22

  • MD5

    35af111bd1bc8ee2f63a3b0e377526ff

  • SHA1

    34ac11f6704e033dea5ee1049d4fca5501cf8d94

  • SHA256

    8e7618527c598229899d7fcae8098c6031231acbcc9574061215b3658761c0aa

  • SHA512

    15d6244954b35a6ff9f885c661e35b8e551d95563461c85ce5d85b705e62b4e18ae7188360f1bb6c8c0258d8b2a92aebad30c7ac64d638bea221b7baaa43dcc6

  • SSDEEP

    24576:0zxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDUmeRr5XXXXXXXXXXXXUXXXXXXXrXXXC:B5h0fuYgM

Score
10/10
formbookdwdppersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

dwdp

Decoy

jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=

ke1Wv1l26dZZxDikX9dU3s6k8+w=

+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==

GHXPhYzwXcKgZwqBb/kejm7rfobj

yalW64iE8+aXs70=

MD83dBR0KSF4fizgRhAM

Xti3uNm2JDWgssPgRhAM

X7gYbv5uJhpvjdI0Qg==

ydxGznbNJ3tCCLAX4arq4nweMuQ=

Ca+fvtST8OBbosPgRhAM

kG1QegD8mU/E/hLw1t0=

g9FFFjEC5C2IvR/BhbSrpw==

PCkpeg38W0aPdg1rav1DFnVASw==

vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7

G7WYirSZS9EYob8=

WbEWaOVIAPlSNNc4LsfL53weMuQ=

hnyAvEY4n3rTKS4g5mHKxR0=

JN7b0uCqVrQydMl7JNw=

XTki/RASDK6BCW0q8sU=

DQMBWA9wJyOKqqGSmGHKxR0=

Targets

    • Target

      Angebot anfordernDE5538100- Musterkatalog.xls

    • Size

      1.6MB

    • MD5

      35af111bd1bc8ee2f63a3b0e377526ff

    • SHA1

      34ac11f6704e033dea5ee1049d4fca5501cf8d94

    • SHA256

      8e7618527c598229899d7fcae8098c6031231acbcc9574061215b3658761c0aa

    • SHA512

      15d6244954b35a6ff9f885c661e35b8e551d95563461c85ce5d85b705e62b4e18ae7188360f1bb6c8c0258d8b2a92aebad30c7ac64d638bea221b7baaa43dcc6

    • SSDEEP

      24576:0zxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDUmeRr5XXXXXXXXXXXXUXXXXXXXrXXXC:B5h0fuYgM

    Score
    10/10
    formbookdwdppersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks