Severity
Medium
Analysis Summary
A malicious Microsoft Word document has been reported that contains a link to harvest the victim’s personal email accounts login credentials.
A Rich Text Formatted (RTF) file was reported that contains six Microsoft Excel worksheets with embedded Visual Basic (VB) scripts. The scripts invoke PowerShell to download a payload on to the system.
Another file containing a 32-bit Windows .NET executable was reported. The file is designed to install a malicious 32- bit Windows executable. The executable is the payload identified as a variant of the FormBook malware. During analysis, the malicious executable injected itself into a list of Windows processes and collected victim’s data including: user keystrokes, clipboard data, screenshots, web browser passwords, and other applications.
Impact
Credential Theft
System Access
Information Disclosure
Malware Infection
Indicators of Compromise
| IP(s) / Hostname(s) | 178.159.36[.]107 107.187.95[.]198 192.64.115[.]93 203.170.80[.]250 206.188.192[.]179 81.27.85[.]17 94.136.40[.]51 |
| URLs | igyygyigus[.]com weddingofmyday[.]info 41230935[.]net becoolpickuptruckhub[.]live bonzaj[.]com brysoldstop[.]win corito78[.]party dailylondonfashion[.]com e-pennys[.]com jyoumon-farm[.]com lanpaizhilian[.]com mesayang[.]com pcshooot[.]win queensofthescene[.]com spainbythesea[.]uk t70ia[.]info topcars[.]guru zhuangshi[.]ink |
| Filename | ProformAdviseMarch19.doc Oswald Crescent-converted.docx Payment_TT_Copy-pdf.exe bin.exe |
| Email Address | Rena_564[@]hotmail[.]com |
| Malware Hash (MD5/SHA1/SH256) | 4aa1bb25d9858452194548825836db66 3fea120d39b1f0b63dc6a73d0ee2d197169fc765dd5b1eafc5658c6799d4b00f 854a864b0b0465c352a24ba09ec3b4c0f24684e9c4ad4f8900f605e4705cf74e 9fdc3857779c18f9802b39d7f3caf90b 4fcaff67dd797d6bc76d9a1202838542bf88789a7ef6e4ac5ec0ca5f1a5301e1 e6aa24cabafb1f66e2e874a1722acd13 d6646857d68f0fe855887571c65f3ae3d89e74a59ea3f77bf576943103a84eb0 e1c2d815112ade0e7ad765485f72b337 |
Remediation
- Block the threat indicators at their respective controls.
- Maintain antivirus signatures and engines and keep them up-to-date.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Scan all software downloaded from the Internet prior to executing.