Overview

overview

10

Static

static

new order .rtf

windows7_x64

10

new order .rtf

windows10_x64

1

Resubmissions

27-01-2022 18:07

220127-wqdhjahde2 10

27-01-2022 17:44

220127-wblwcsgedq 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    new order .doc

  • Size

    541KB

  • Sample

    220127-wqdhjahde2

  • MD5

    9563bab56977f2394eb4540bf474ec4a

  • SHA1

    c510463933454eb302e2188b300ee92fbed10abb

  • SHA256

    a49a3cf3e72aacc6fa302d0b613acb1b611fd8148618a334b5bd6c47b5bac4d5

  • SHA512

    fc4fa201724001b0413d78fca57aeb455f0054f22d74738529e86b15deaca800d605365c41d96664cd75671728dba419de255ca1ac98284061da5ade0f0a6d14

Score
10/10
formbooka83rratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a83r

Decoy

comercializadoralonso.com

durhamschoolservces.com

onegreencapital.com

smartcities24.com

maquinas.store

brianlovesbonsai.com

xin41518s.com

moneyearnus.xyz

be-mix.com

fengyat.club

inspectdecided.xyz

paksafpakistan.com

orhidlnt.top

princesuraj.com

vietnamvodka.com

renewnow.site

imageservices.xyz

luxurytravelfranchise.com

kp112.red

royalyorkfirewood.com

Targets

    • Target

      new order .doc

    • Size

      541KB

    • MD5

      9563bab56977f2394eb4540bf474ec4a

    • SHA1

      c510463933454eb302e2188b300ee92fbed10abb

    • SHA256

      a49a3cf3e72aacc6fa302d0b613acb1b611fd8148618a334b5bd6c47b5bac4d5

    • SHA512

      fc4fa201724001b0413d78fca57aeb455f0054f22d74738529e86b15deaca800d605365c41d96664cd75671728dba419de255ca1ac98284061da5ade0f0a6d14

    Score
    10/10
    formbooka83rratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks