Overview

overview

10

Static

static

RFQ_20220131.rtf

windows7_x64

10

RFQ_20220131.rtf

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ_20220131.doc

  • Size

    2.2MB

  • Sample

    220131-h8za3agffj

  • MD5

    1003a3560932316f965eceb34ec38488

  • SHA1

    ff874bf58b3d4e6563803c4c5353be46c937bb8d

  • SHA256

    a2f34d41dae7d24e7a1e6c67b720266f3562fa588f9425bfd9d97db75fa69dac

  • SHA512

    42b0b0577c285350487c0a0868de375914f1f5040ac3b02b689aaa060fa4a7aa010d4908aeee0671eaca46a03b97d0dbc34f10259ddf7d07dc5978b42b6c07ff

Score
10/10
formbookmz16ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mz16

Decoy

isletme.xyz

o7agj7.xyz

no-fucks-given.com

khaomaneecat.com

meta-medical.store

cxtopy.link

abcsquaredancing.com

zonaserbaserbi.com

enfgames.com

drakestonecapitalgroup.com

einfachstadtreiniger.com

nftsmartlicense.com

2333.site

archate.com

floridacoastwellness.com

garciawam.com

2022sg.xyz

offertntdjj.xyz

lightunclyuchand71.xyz

friv.asia

Targets

    • Target

      RFQ_20220131.doc

    • Size

      2.2MB

    • MD5

      1003a3560932316f965eceb34ec38488

    • SHA1

      ff874bf58b3d4e6563803c4c5353be46c937bb8d

    • SHA256

      a2f34d41dae7d24e7a1e6c67b720266f3562fa588f9425bfd9d97db75fa69dac

    • SHA512

      42b0b0577c285350487c0a0868de375914f1f5040ac3b02b689aaa060fa4a7aa010d4908aeee0671eaca46a03b97d0dbc34f10259ddf7d07dc5978b42b6c07ff

    Score
    10/10
    formbookmz16ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks