General

  • Target

    MT OCEAN STAR ISO 8217 2005.xlsx

  • Size

    2.1MB

  • Sample

    210223-b6h52bw412

  • MD5

    3ba4a9ceac60a4e52398ac6fbd0ebc5b

  • SHA1

    19b79bcd8982634747f1dfc6804687d60baf73b0

  • SHA256

    ca4c055b60e84b73461e21062fc06924897c501944ec0f2a467fc4c21f13b342

  • SHA512

    ff14cc9946821af0891fb2b8ae10006ea9902f31c6cfcc5bc6739270080a3862db34e718cf82838585662a3dbad74892db78e891092a9cd0e137e86684440686

Malware Config

Extracted

Family

formbook

C2

http://www.aone223.com/67d/

Decoy

initiationportal.com

priority1fleet.com

xn--c1abvlc0ba.xn--p1acf

foto-golyh-devushek.com

losangeles-nightlife.com

mynewbandname.com

iaiibhzsbw.net

allwest-originals.com

peakofgoodlife.com

traeespana.com

prizotinstagram.online

powerd.net

rutharroyo.com

spreadtheaimee.com

tomleefamily.com

workingcompass.net

quallateematerial.com

davizion.com

ashleeramdanfit.com

gamers-evolution.com

Targets

    • Target

      MT OCEAN STAR ISO 8217 2005.xlsx

    • Size

      2.1MB

    • MD5

      3ba4a9ceac60a4e52398ac6fbd0ebc5b

    • SHA1

      19b79bcd8982634747f1dfc6804687d60baf73b0

    • SHA256

      ca4c055b60e84b73461e21062fc06924897c501944ec0f2a467fc4c21f13b342

    • SHA512

      ff14cc9946821af0891fb2b8ae10006ea9902f31c6cfcc5bc6739270080a3862db34e718cf82838585662a3dbad74892db78e891092a9cd0e137e86684440686

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks