formbook

General

Target

file2083.xlam
Size

15KB
Sample

210505-sdfb9ay3nn
MD5

399563af4221cc2c176d8f218d6a563d
SHA1

72251218c8127abeab4c04944445c18bdac2688f
SHA256

cc9cefa7960d991d414051f5fe153ffa514a2e687143dd2b1b6966edbbcadbec
SHA512

bb0aef3126bc94f5bc32bddc96b4c6720b4eeeaa91c1a80c95039d4c88871fdc33ceef7cd579bd00d4acbc62987f9e6c0fa7efa08de81e4a4db8194f81f6ebea

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Targets

- Target
  
  file2083.xlam
- Size
  
  15KB
- MD5
  
  399563af4221cc2c176d8f218d6a563d
- SHA1
  
  72251218c8127abeab4c04944445c18bdac2688f
- SHA256
  
  cc9cefa7960d991d414051f5fe153ffa514a2e687143dd2b1b6966edbbcadbec
- SHA512
  
  bb0aef3126bc94f5bc32bddc96b4c6720b4eeeaa91c1a80c95039d4c88871fdc33ceef7cd579bd00d4acbc62987f9e6c0fa7efa08de81e4a4db8194f81f6ebea
Score

10^/10

formbook rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Formbook Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Use of msiexec (install) with remote resource
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Formbook Payload

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Use of msiexec (install) with remote resource

Enumerates connected drives

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2