formbook

General

Target

PO 212RC048.doc
Size

3KB
Sample

211210-mjtrhahecj
MD5

b7637e47ba59800d5286f30c15ab1a8a
SHA1

b593004f32c805fff51af01d46a2845f7870f8a3
SHA256

dd131b523e19862053b938fcd6468db4a3a6e42259c1fd01d854bd87225a2019
SHA512

d9a7b8133023bf4288cdaae62e9e5b31363430b7c8e779b6e08e10db2f03db867e85c1b683072085bd9bffe9addc23be4800e74220e9cc09712fd0f92b688e44

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h4d0

C2

http://www.voxelsoxx.xyz/h4d0/

Decoy

onlinefinejewelry.com

samstringermusic.com

beam-lettings.info

optimumcoin.xyz

fasa.xyz

creativedime.com

eihncuz.online

griffin2008.top

europcarlive.com

jxhcar.com

museumsshop.international

bonolaboral-lnterbank.com

kelebandis.xyz

hiddenlakeranch.net

carelessyouth.com

jfkilfoil.store

potok-it-ua.site

magdulemediation.com

shakadal.xyz

coastconstructionfl.com

Targets

- Target
  
  PO 212RC048.doc
- Size
  
  3KB
- MD5
  
  b7637e47ba59800d5286f30c15ab1a8a
- SHA1
  
  b593004f32c805fff51af01d46a2845f7870f8a3
- SHA256
  
  dd131b523e19862053b938fcd6468db4a3a6e42259c1fd01d854bd87225a2019
- SHA512
  
  d9a7b8133023bf4288cdaae62e9e5b31363430b7c8e779b6e08e10db2f03db867e85c1b683072085bd9bffe9addc23be4800e74220e9cc09712fd0f92b688e44
Score

10^/10

formbook h4d0 rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata
- suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Formbook Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Formbook Payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2