Overview

overview

10

Static

static

1

Swift Payment.xls

windows7-x64

10

Swift Payment.xls

windows10-2004-x64

10

Resubmissions

29-08-2024 14:12

240829-rhtsbswarc 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Swift Payment.xls

  • Size

    537KB

  • Sample

    240829-rhtsbswarc

  • MD5

    3ddbb73564bd5da178d353887cb82cf1

  • SHA1

    9e7cfbac422ef392dff72228be57a86f37eed26a

  • SHA256

    eaf3b9c1bdaf72da0a5d2a1a8c4f128712463c558e8af23830126bf07ef63847

  • SHA512

    c4cc01cc620b8f5cf457221679760f5a36e32cf1d2fa42f3a30bac8949bd152ab0097e2ce02da70111533b0b21c43a71200aba97362c0270623a56a2b1d44d0e

  • SSDEEP

    12288:pNsZ4UeZzxvJLrl0jHUxIbuKlt70AFg7JzXAZo+r:s2xxJIUgL0AGkb

Score
10/10
formbookb48ndefense_evasiondiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b48n

Decoy

anifestmindset.net

ommybahamabigsales.shop

3tcxr.xyz

iano-world.net

rconf23.net

atherpa.shop

trllrpartners.club

5sawit777.pro

ctbhuxcdreioijresol.top

opinatlas.app

pinstar.xyz

mfengwa.top

8games13.xyz

tickpaket.online

iphuodongallbbtbtm.top

ental-bridges-51593.bond

laywithkemon.rest

lkpiou.xyz

a88.land

igfloppafan.club

Targets

    • Target

      Swift Payment.xls

    • Size

      537KB

    • MD5

      3ddbb73564bd5da178d353887cb82cf1

    • SHA1

      9e7cfbac422ef392dff72228be57a86f37eed26a

    • SHA256

      eaf3b9c1bdaf72da0a5d2a1a8c4f128712463c558e8af23830126bf07ef63847

    • SHA512

      c4cc01cc620b8f5cf457221679760f5a36e32cf1d2fa42f3a30bac8949bd152ab0097e2ce02da70111533b0b21c43a71200aba97362c0270623a56a2b1d44d0e

    • SSDEEP

      12288:pNsZ4UeZzxvJLrl0jHUxIbuKlt70AFg7JzXAZo+r:s2xxJIUgL0AGkb

    Score
    10/10
    formbookb48ndefense_evasiondiscoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks