Overview

overview

10

Static

static

57672c47c1...56.rtf

windows7_x64

10

57672c47c1...56.rtf

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    57672c47c193f3a557553cab8126f356.rtf

  • Size

    10KB

  • Sample

    201125-kx4a3ncnwn

  • MD5

    57672c47c193f3a557553cab8126f356

  • SHA1

    91f23e359413106abd24ecdef8a0a2570cf39090

  • SHA256

    94bae4886fe8942d256a84af00ae297e560b1711272c0d7b05d89f98c8067890

  • SHA512

    a505cbe917419288f645ca07d0f512166de6a4387ca884f90f628a0ef524dc89f0e8d04984064429d1856cb9aa73f8cee2712205337a2f2cfccb865691222899

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.mommabearmoney.com/et2d/

Decoy

wcaconline.com

travelbackpackss.com

ao-m-nishinomiya.com

tilania.com

vegbydesign.net

mybabysisterscloset.com

sanctitude-cuspidated.com

russtybeats.com

dichvubangchuan.com

su-seikatu.info

eratosantorini.com

ninetofivemama.com

delishany.com

pawchamamapet.net

nissicloud.com

strictlyotaku.net

kissmanga.pro

appalachianfx.com

aralending.com

forbrighterlife.com

Targets

    • Target

      57672c47c193f3a557553cab8126f356.rtf

    • Size

      10KB

    • MD5

      57672c47c193f3a557553cab8126f356

    • SHA1

      91f23e359413106abd24ecdef8a0a2570cf39090

    • SHA256

      94bae4886fe8942d256a84af00ae297e560b1711272c0d7b05d89f98c8067890

    • SHA512

      a505cbe917419288f645ca07d0f512166de6a4387ca884f90f628a0ef524dc89f0e8d04984064429d1856cb9aa73f8cee2712205337a2f2cfccb865691222899

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks