General

  • Target

    Order4500318042.xls

  • Size

    229KB

  • Sample

    240507-jhjncsaa76

  • MD5

    ef04a12bc8c36b451d4b9da3cd9d36d6

  • SHA1

    cf13b2aedb7a44209a7d8bbe4694150834fc50e0

  • SHA256

    c4266d2a1d05270a41a4959ab0143f13655790c4c9fc189088b46302a367567a

  • SHA512

    cc9901d0ef11be9a8e7d79fd7b5c744637afa376a50990259d303f2c0448f5fd18e8c8691daadc92a8c1203d820eaa86db45ca165f572be01ffd2df37dbb25fa

  • SSDEEP

    6144:6d4UcLe0JOqPQZR8MDdATCR3tSv0W83l0MUl73/aLKMml:9UP/qPQZR8MxAm/S8W83lObaLK

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ht3d

Decoy

derlon.net

46gem.vip

bridal-heart-boutique.com

porarquitectura.com

durkal.online

9916k.vip

nativegarden.net

hoodjac.com

coachwunder.com

jutuowangluo.com

frankmontagna.com

jalenx.com

yhxg.net

brasserie-bro.com

whitecoatprivilege.com

sigmadriving.com

inhkipcmacau.com

freediveexperience.com

52iwin.com

aaditt.com

Targets

    • Target

      Order4500318042.xls

    • Size

      229KB

    • MD5

      ef04a12bc8c36b451d4b9da3cd9d36d6

    • SHA1

      cf13b2aedb7a44209a7d8bbe4694150834fc50e0

    • SHA256

      c4266d2a1d05270a41a4959ab0143f13655790c4c9fc189088b46302a367567a

    • SHA512

      cc9901d0ef11be9a8e7d79fd7b5c744637afa376a50990259d303f2c0448f5fd18e8c8691daadc92a8c1203d820eaa86db45ca165f572be01ffd2df37dbb25fa

    • SSDEEP

      6144:6d4UcLe0JOqPQZR8MDdATCR3tSv0W83l0MUl73/aLKMml:9UP/qPQZR8MxAm/S8W83lObaLK

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks