formbook

General

Target

GMC_310182973.doc
Size

2.2MB
Sample

220131-h8za3agffk
MD5

0d4881e7b37cf348025ff29b7c5e68c4
SHA1

9a74be8ce26251344f990e852ce1a782f73c7555
SHA256

1b5b296d23666b420cce79e0e953acc3ee864d7718ff7cfab7146ee85bb8b0f6
SHA512

7199b588a2ae25bf0968e04d05dfc71a2b7146b0fd8fda60363064272d625fe73ff3deedddcb7340b931c3e7c9ee29b27340e9d02ac0853cf6881ab002469161

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m16a

Decoy

ton-pool.sbs

upyourallydesigns.com

pse575.info

travelbucket.online

achievemint.club

qidashuixiang.com

amytreharne.com

gaadroo.store

parallelepc.info

vizminingcorp.com

orlandoheaslth.com

landsharksafterdark.com

sdjinmen.com

alpencruiser.biz

xn--ar-7ka.com

9avatar.xyz

changyixin.com

radiofreetotebag.com

emailmarketer.info

recomin.online

Targets

- Target
  
  GMC_310182973.doc
- Size
  
  2.2MB
- MD5
  
  0d4881e7b37cf348025ff29b7c5e68c4
- SHA1
  
  9a74be8ce26251344f990e852ce1a782f73c7555
- SHA256
  
  1b5b296d23666b420cce79e0e953acc3ee864d7718ff7cfab7146ee85bb8b0f6
- SHA512
  
  7199b588a2ae25bf0968e04d05dfc71a2b7146b0fd8fda60363064272d625fe73ff3deedddcb7340b931c3e7c9ee29b27340e9d02ac0853cf6881ab002469161
Score

10^/10

formbook m16a rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Blocklisted process makes network request

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2