formbook

General

Target

14.xlam
Size

15KB
Sample

210506-jfyk3g2z92
MD5

11e9376ee19889ee5c08e816b1d3b231
SHA1

d22b56bedc58de7da73d647a5f3048b9cabc17d7
SHA256

cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c
SHA512

fe846e63b1616166bebed98bdea82f1d141a23a0abc68cf6dc94216f9b0242859dcebd5471aa0943a46a5ecfca1e430badaf049db4469ec3a13a252b2eb8164b

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Targets

- Target
  
  14.xlam
- Size
  
  15KB
- MD5
  
  11e9376ee19889ee5c08e816b1d3b231
- SHA1
  
  d22b56bedc58de7da73d647a5f3048b9cabc17d7
- SHA256
  
  cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c
- SHA512
  
  fe846e63b1616166bebed98bdea82f1d141a23a0abc68cf6dc94216f9b0242859dcebd5471aa0943a46a5ecfca1e430badaf049db4469ec3a13a252b2eb8164b
Score

10^/10

formbook rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Formbook Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Use of msiexec (install) with remote resource
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Formbook Payload

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Use of msiexec (install) with remote resource

Enumerates connected drives

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2