formbook

General

Target

tmp/9c543cf77ab8f2b5348e03c96a94f9d277afc43b28d01018bd98aaf36e3dd5a9.xls
Size

1.4MB
Sample

211213-m26tsaefbp
MD5

bddbdf6c5ee73aa17771b839f06e5f5c
SHA1

1cd3640474adf50f43abc96c662e5b2fa1c7574a
SHA256

9c543cf77ab8f2b5348e03c96a94f9d277afc43b28d01018bd98aaf36e3dd5a9
SHA512

4315212b8ad3931a0364f4193e9139bd57b216bd73c8b4494410aca0f30bad3a001b1d1cd7f3624295c2763bc8d3d72bdaf3e8f1bc3d2820c1b99b8df6662e9a

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h4d0

C2

http://www.voxelsoxx.xyz/h4d0/

Decoy

onlinefinejewelry.com

samstringermusic.com

beam-lettings.info

optimumcoin.xyz

fasa.xyz

creativedime.com

eihncuz.online

griffin2008.top

europcarlive.com

jxhcar.com

museumsshop.international

bonolaboral-lnterbank.com

kelebandis.xyz

hiddenlakeranch.net

carelessyouth.com

jfkilfoil.store

potok-it-ua.site

magdulemediation.com

shakadal.xyz

coastconstructionfl.com

Targets

- Target
  
  tmp/9c543cf77ab8f2b5348e03c96a94f9d277afc43b28d01018bd98aaf36e3dd5a9.xls
- Size
  
  1.4MB
- MD5
  
  bddbdf6c5ee73aa17771b839f06e5f5c
- SHA1
  
  1cd3640474adf50f43abc96c662e5b2fa1c7574a
- SHA256
  
  9c543cf77ab8f2b5348e03c96a94f9d277afc43b28d01018bd98aaf36e3dd5a9
- SHA512
  
  4315212b8ad3931a0364f4193e9139bd57b216bd73c8b4494410aca0f30bad3a001b1d1cd7f3624295c2763bc8d3d72bdaf3e8f1bc3d2820c1b99b8df6662e9a
Score

10^/10

formbook h4d0 rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Formbook Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Formbook Payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2