General

  • Target

    87930142ba02cbbfe0b77ab3beb3d1bc.rtf

  • Size

    80KB

  • Sample

    240509-exhbmadb55

  • MD5

    87930142ba02cbbfe0b77ab3beb3d1bc

  • SHA1

    4eae75c6e3d552ec1ff34d3ee00a7ee0d6f92bd0

  • SHA256

    3445d16ad6e5de9939611d9bc5f3169581c3bd1166ad228506d6be70ac1eacbd

  • SHA512

    7f69dc7584da9c2da36ef26eb2b1ee167800d27433383ea881b739121d706cc4330d6fe174409ce8a0518713f92a58710b0c4cac0c5b231596298962fe244a99

  • SSDEEP

    1536:LAXgS04nWQuhEWhCBt2KET+qMPsAvBgdPwVI6PbxULWI4qtqi/wEXvgaew6iAzab:IggWQuhBCB8KET+qMPsAvBgWVI6POLW8

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ht3d

Decoy

derlon.net

46gem.vip

bridal-heart-boutique.com

porarquitectura.com

durkal.online

9916k.vip

nativegarden.net

hoodjac.com

coachwunder.com

jutuowangluo.com

frankmontagna.com

jalenx.com

yhxg.net

brasserie-bro.com

whitecoatprivilege.com

sigmadriving.com

inhkipcmacau.com

freediveexperience.com

52iwin.com

aaditt.com

Targets

    • Target

      87930142ba02cbbfe0b77ab3beb3d1bc.rtf

    • Size

      80KB

    • MD5

      87930142ba02cbbfe0b77ab3beb3d1bc

    • SHA1

      4eae75c6e3d552ec1ff34d3ee00a7ee0d6f92bd0

    • SHA256

      3445d16ad6e5de9939611d9bc5f3169581c3bd1166ad228506d6be70ac1eacbd

    • SHA512

      7f69dc7584da9c2da36ef26eb2b1ee167800d27433383ea881b739121d706cc4330d6fe174409ce8a0518713f92a58710b0c4cac0c5b231596298962fe244a99

    • SSDEEP

      1536:LAXgS04nWQuhEWhCBt2KET+qMPsAvBgdPwVI6PbxULWI4qtqi/wEXvgaew6iAzab:IggWQuhBCB8KET+qMPsAvBgWVI6POLW8

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks