Overview

overview

10

Static

static

1

Quotation.xls

windows7-x64

10

Quotation.xls

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quotation.xls

  • Size

    1.0MB

  • Sample

    230316-trytraea6t

  • MD5

    37481dd391b76ee993eeac5d5784d226

  • SHA1

    ed55c8ba6e3f83b9150d25c01e4b17c592ce0531

  • SHA256

    63731f5b05a025ba4a799b245160bc8d5dff4ac8a299fea3809456ae861f40b3

  • SHA512

    8b9e23f367b57ab1c1c6b08622f61e70d9540e01df37926f7486b358721c9e81ffa39d7441ad05b93498f7f61d82d14fb33a37f6dc087e42807ee78c7f36e7d4

  • SSDEEP

    24576:FLKzWQmmav30xTjpmMjpmVEWnxLIuGh26fSHoJg99m:FLKSQmmQ308jGhJfSIC99m

Score
10/10
formbookg2fgratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Targets

    • Target

      Quotation.xls

    • Size

      1.0MB

    • MD5

      37481dd391b76ee993eeac5d5784d226

    • SHA1

      ed55c8ba6e3f83b9150d25c01e4b17c592ce0531

    • SHA256

      63731f5b05a025ba4a799b245160bc8d5dff4ac8a299fea3809456ae861f40b3

    • SHA512

      8b9e23f367b57ab1c1c6b08622f61e70d9540e01df37926f7486b358721c9e81ffa39d7441ad05b93498f7f61d82d14fb33a37f6dc087e42807ee78c7f36e7d4

    • SSDEEP

      24576:FLKzWQmmav30xTjpmMjpmVEWnxLIuGh26fSHoJg99m:FLKSQmmQ308jGhJfSIC99m

    Score
    10/10
    formbookg2fgratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

4
T1082

Query Registry

3
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks