Overview

overview

10

Static

static

1

SOA.xls

windows7-x64

10

SOA.xls

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SOA.xls

  • Size

    1.0MB

  • Sample

    230329-jmh8dsfc83

  • MD5

    521fc58d3dbb65572d40a1f06667166d

  • SHA1

    ebec53204ce871df7820d9e19c753dcfdf7a078a

  • SHA256

    efdb6f114d0c7bcbbce947287c49369d6094d82009f69c330b728027a02bffa4

  • SHA512

    fdc2337cc5d1c9e558f1c112b68e5c501c08023eb070236c48507781b4bf63d0b66bdb394e87d999fe9d371bf730546ada5b72dbb9be01fc3aa1eabb400f9691

  • SSDEEP

    24576:VLK9SSMMednEKakAmmjmRakAmmjmm+MXUL3OI2222222222222222222222S2rl:VLKXMhaaoeaaol+MXvS

Score
10/10
formbookg2fgratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Targets

    • Target

      SOA.xls

    • Size

      1.0MB

    • MD5

      521fc58d3dbb65572d40a1f06667166d

    • SHA1

      ebec53204ce871df7820d9e19c753dcfdf7a078a

    • SHA256

      efdb6f114d0c7bcbbce947287c49369d6094d82009f69c330b728027a02bffa4

    • SHA512

      fdc2337cc5d1c9e558f1c112b68e5c501c08023eb070236c48507781b4bf63d0b66bdb394e87d999fe9d371bf730546ada5b72dbb9be01fc3aa1eabb400f9691

    • SSDEEP

      24576:VLK9SSMMednEKakAmmjmRakAmmjmm+MXUL3OI2222222222222222222222S2rl:VLKXMhaaoeaaol+MXvS

    Score
    10/10
    formbookg2fgratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks