General
-
Target
PurchaseOrder-ProjectNo-8879_ECOFIX.docx
-
Size
179KB
-
Sample
241030-me81ma1gkk
-
MD5
4b4dd7f09a3f3435dd6ad0c3e0ebdec5
-
SHA1
d4c5dfc8f8e01aed7fbba3ae7c3bce2169a779b1
-
SHA256
c7fbb69621184bcde9042d22bf4e52b973ef7b5187b6446b362c32640469740c
-
SHA512
8e6a7f1e422e71a842052d23b2d2c5808fa0aeebd8a4861704fc471e5987e9e4241b8436324ba1c919b910f991f141f8cb28b80bde5ae783b412cbfb32b6ba53
-
SSDEEP
3072:UiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUkGZZ:e5r/g+qZMpcFSQzYHut4dZ+Z
Malware Config
Extracted
formbook
4.1
btrd
toulouse.gold
launchyouglobal.com
margarita-services.com
dasnail.club
casa-hilo.com
hardscapesofflorida.com
thepositivitypulse.com
kkmyanev.cfd
love6ace22.top
castorcruise.com
chch6.com
h59f07jy.cfd
saatvikteerthyatra.com
fxsecuretrading-option.com
mostbet-k1o.click
36-m.beauty
ko-or-a-news.com
eurekatextile.com
gynlkj.com
deepsouthcraftsman.com
Targets
-
-
Target
PurchaseOrder-ProjectNo-8879_ECOFIX.docx
-
Size
179KB
-
MD5
4b4dd7f09a3f3435dd6ad0c3e0ebdec5
-
SHA1
d4c5dfc8f8e01aed7fbba3ae7c3bce2169a779b1
-
SHA256
c7fbb69621184bcde9042d22bf4e52b973ef7b5187b6446b362c32640469740c
-
SHA512
8e6a7f1e422e71a842052d23b2d2c5808fa0aeebd8a4861704fc471e5987e9e4241b8436324ba1c919b910f991f141f8cb28b80bde5ae783b412cbfb32b6ba53
-
SSDEEP
3072:UiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUkGZZ:e5r/g+qZMpcFSQzYHut4dZ+Z
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Formbook payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-