General

  • Target

    Purchase Order - Project No-8879_ECOFIX.docx

  • Size

    179KB

  • Sample

    241030-mdbcza1eqh

  • MD5

    4b4dd7f09a3f3435dd6ad0c3e0ebdec5

  • SHA1

    d4c5dfc8f8e01aed7fbba3ae7c3bce2169a779b1

  • SHA256

    c7fbb69621184bcde9042d22bf4e52b973ef7b5187b6446b362c32640469740c

  • SHA512

    8e6a7f1e422e71a842052d23b2d2c5808fa0aeebd8a4861704fc471e5987e9e4241b8436324ba1c919b910f991f141f8cb28b80bde5ae783b412cbfb32b6ba53

  • SSDEEP

    3072:UiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUkGZZ:e5r/g+qZMpcFSQzYHut4dZ+Z

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

toulouse.gold

launchyouglobal.com

margarita-services.com

dasnail.club

casa-hilo.com

hardscapesofflorida.com

thepositivitypulse.com

kkmyanev.cfd

love6ace22.top

castorcruise.com

chch6.com

h59f07jy.cfd

saatvikteerthyatra.com

fxsecuretrading-option.com

mostbet-k1o.click

36-m.beauty

ko-or-a-news.com

eurekatextile.com

gynlkj.com

deepsouthcraftsman.com

Targets

    • Target

      Purchase Order - Project No-8879_ECOFIX.docx

    • Size

      179KB

    • MD5

      4b4dd7f09a3f3435dd6ad0c3e0ebdec5

    • SHA1

      d4c5dfc8f8e01aed7fbba3ae7c3bce2169a779b1

    • SHA256

      c7fbb69621184bcde9042d22bf4e52b973ef7b5187b6446b362c32640469740c

    • SHA512

      8e6a7f1e422e71a842052d23b2d2c5808fa0aeebd8a4861704fc471e5987e9e4241b8436324ba1c919b910f991f141f8cb28b80bde5ae783b412cbfb32b6ba53

    • SSDEEP

      3072:UiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUkGZZ:e5r/g+qZMpcFSQzYHut4dZ+Z

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks