formbook

General

Target

PO20220126.doc
Size

2.3MB
Sample

220126-rfkfwadeel
MD5

5cd86913d2c514fac26439557709aa96
SHA1

65f00339afb84c6c9e83c8a2fd4aa367d897102b
SHA256

534971b14abc0d7b16338f7a1c329d044d8d9352638b9f3bb5866d5dcd1799fa
SHA512

5404f7dd5fe2bb8256aa1c06968e5940a2adc2e92f5f15813155da50badfcbd0e3d7cb50947394e3b54aff61c70fa806a560328ee67d51640cf28f4fd4f51fed

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jg17

Decoy

oekaki-fujiwara.com

artigueslm.com

bachelordegrees.xyz

sheng-hongtec.com

escaperoommetaverse.com

absolutelyfrance.com

azgotbugs.com

mega2888.com

kx3evdh.com

conectservices.xyz

laisnova.space

nonton-video.xyz

cryptocurrency.promo

detalles432.net

rajaateknik.com

dnahomelab.xyz

leguokj.com

veocap.xyz

wu8etf5443sj.xyz

diet-plan-pros.today

Targets

- Target
  
  PO20220126.doc
- Size
  
  2.3MB
- MD5
  
  5cd86913d2c514fac26439557709aa96
- SHA1
  
  65f00339afb84c6c9e83c8a2fd4aa367d897102b
- SHA256
  
  534971b14abc0d7b16338f7a1c329d044d8d9352638b9f3bb5866d5dcd1799fa
- SHA512
  
  5404f7dd5fe2bb8256aa1c06968e5940a2adc2e92f5f15813155da50badfcbd0e3d7cb50947394e3b54aff61c70fa806a560328ee67d51640cf28f4fd4f51fed
Score

10^/10

formbook jg17 rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Blocklisted process makes network request

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2