Overview

overview

10

Static

static

1

29082024_0...to.xls

windows7-x64

10

29082024_0...to.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29082024_0144_28082024_Nuevo orden agosto.xls

  • Size

    555KB

  • Sample

    240829-b55kcayhpp

  • MD5

    0eca5068b23513d7d20d9f05b5a33cde

  • SHA1

    b11da160460403bacb257d4832ca617fcf8c9840

  • SHA256

    b171b5e7c7abd247edcc25f1c00301e89f1e9715ed6d98f03f4b6a6674c5834b

  • SHA512

    2b16f2c208573a9361b646e34b6ac627fb3d9b80fb0ff7a09cf3d0e5bfeefb2d09ad482e428a5effe80a3da1267df4c07f08728f589ea6b01324ef6adb102d16

  • SSDEEP

    12288:++M2PYL9XdP7MqOZzCSbxuKuw+9WompCHYCFxi7Ehh7wYf:+cPYLpdwZdMK3ewCHTqo0Y

Score
10/10
formbookb48ndefense_evasiondiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b48n

Decoy

anifestmindset.net

ommybahamabigsales.shop

3tcxr.xyz

iano-world.net

rconf23.net

atherpa.shop

trllrpartners.club

5sawit777.pro

ctbhuxcdreioijresol.top

opinatlas.app

pinstar.xyz

mfengwa.top

8games13.xyz

tickpaket.online

iphuodongallbbtbtm.top

ental-bridges-51593.bond

laywithkemon.rest

lkpiou.xyz

a88.land

igfloppafan.club

Targets

    • Target

      29082024_0144_28082024_Nuevo orden agosto.xls

    • Size

      555KB

    • MD5

      0eca5068b23513d7d20d9f05b5a33cde

    • SHA1

      b11da160460403bacb257d4832ca617fcf8c9840

    • SHA256

      b171b5e7c7abd247edcc25f1c00301e89f1e9715ed6d98f03f4b6a6674c5834b

    • SHA512

      2b16f2c208573a9361b646e34b6ac627fb3d9b80fb0ff7a09cf3d0e5bfeefb2d09ad482e428a5effe80a3da1267df4c07f08728f589ea6b01324ef6adb102d16

    • SSDEEP

      12288:++M2PYL9XdP7MqOZzCSbxuKuw+9WompCHYCFxi7Ehh7wYf:+cPYLpdwZdMK3ewCHTqo0Y

    Score
    10/10
    formbookb48ndefense_evasiondiscoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks