General

  • Target

    837216bb9f9cda26fbebd58a078b6b16.docx

  • Size

    16KB

  • Sample

    240715-ptvgws1glm

  • MD5

    837216bb9f9cda26fbebd58a078b6b16

  • SHA1

    f8f72e714188e1f6afd09f7b7841437a5e8aee80

  • SHA256

    007be9a71495d3adced6a8ff24250aa044384df75b9149b4fdcd9d3b8b609ed7

  • SHA512

    14b72385cf8b462e8425d522368426f10dcab06b5b1be1cb1bf7ca3aad799545cd9f661c38ebafce9d478f1dec36b0324cdfd81695d2a7ec60bbb2aeefbb7624

  • SSDEEP

    384:YyXg0/+HWos8PL8wi4OEwH8TIbE91r2fR4JYHviMvmbWNv:Ycg0SP5P3DOqnYJ22vlvmbWJ

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oi12

Decoy

exobello.bio

boinga.xyz

animasriversurf.com

gamesflashg.com

hayatbagievleri.online

washington-living.com

july7.store

x-pod-technologies.com

farmhouseflaire.com

qb52aa.top

datasynthing.xyz

5v28n.rest

legacycommerceltd.com

mundodelosjuguetes.com

wjblades.com

z9b6g8.com

eskimotech.net

dreziuy.xyz

bestsolarcompanies.services

vertemisconsulting.com

Targets

    • Target

      837216bb9f9cda26fbebd58a078b6b16.docx

    • Size

      16KB

    • MD5

      837216bb9f9cda26fbebd58a078b6b16

    • SHA1

      f8f72e714188e1f6afd09f7b7841437a5e8aee80

    • SHA256

      007be9a71495d3adced6a8ff24250aa044384df75b9149b4fdcd9d3b8b609ed7

    • SHA512

      14b72385cf8b462e8425d522368426f10dcab06b5b1be1cb1bf7ca3aad799545cd9f661c38ebafce9d478f1dec36b0324cdfd81695d2a7ec60bbb2aeefbb7624

    • SSDEEP

      384:YyXg0/+HWos8PL8wi4OEwH8TIbE91r2fR4JYHviMvmbWNv:Ycg0SP5P3DOqnYJ22vlvmbWJ

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks