Overview

overview

10

Static

static

1

PROFORMA INVOICE.xls

windows7-x64

10

PROFORMA INVOICE.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PROFORMA INVOICE.xls

  • Size

    706KB

  • Sample

    240923-rbjnsayaml

  • MD5

    a387e1b3ddfebd3a54d76332e03c7429

  • SHA1

    84e7c4c1c9ea719e03a9ad35b17552ef52f0939e

  • SHA256

    fb5a6a5965acca3363cbd1157c564584f2b85f41c6ec10a659e05cb559800202

  • SHA512

    ef088fb7ed0d6e47cd88d267b4c2bed52be5c046984c1e47a3abb598266ee1b5787133dae27bd66ef401fcdda7515de682be99e948d3bd236481a74e697c0a37

  • SSDEEP

    12288:m+UOAsHFnd7HeT/o8gg8Rsfe8Lyi6PlCJ6lKR+PFPSm/YBxyxdDEyawqkLP:mepsAbg8RGetCJR+P1SbiEzK

Score
10/10
formbookj62tdefense_evasiondiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

j62t

Decoy

qualegacy.shop

ijngblv.top

hop-tiktok.top

nti-aging-66026.bond

ostashqiptare-al.info

faretireltd.info

dra.finance

arden-office-45382.bond

nair.today

dence.tokyo

omoantifragilis.net

eet-new-people-26331.bond

ocfamilyto.llc

roduct-tester-jobs-68513.bond

elestialaurelia.buzz

uzzbuilders.buzz

ryptofaucet.xyz

krfq.shop

jbhu.vip

uemw.top

Targets

    • Target

      PROFORMA INVOICE.xls

    • Size

      706KB

    • MD5

      a387e1b3ddfebd3a54d76332e03c7429

    • SHA1

      84e7c4c1c9ea719e03a9ad35b17552ef52f0939e

    • SHA256

      fb5a6a5965acca3363cbd1157c564584f2b85f41c6ec10a659e05cb559800202

    • SHA512

      ef088fb7ed0d6e47cd88d267b4c2bed52be5c046984c1e47a3abb598266ee1b5787133dae27bd66ef401fcdda7515de682be99e948d3bd236481a74e697c0a37

    • SSDEEP

      12288:m+UOAsHFnd7HeT/o8gg8Rsfe8Lyi6PlCJ6lKR+PFPSm/YBxyxdDEyawqkLP:mepsAbg8RGetCJR+P1SbiEzK

    Score
    10/10
    formbookj62tdefense_evasiondiscoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks