formbook | b90e4fcb8b30fcc380d1cfe733a29b0314af1b6354c23cd1b577c99826988e9d | Triage

Sharing

General

Target

TTXdetails.docx.doc
Size

10KB
Sample

220912-rf4vhshbfr
MD5

e732f54857ee57bebe19fb6f3954114c
SHA1

6932f2ffcea4f15a09ed8429a7cb26262c768197
SHA256

b90e4fcb8b30fcc380d1cfe733a29b0314af1b6354c23cd1b577c99826988e9d
SHA512

ad1d11415821d8dcf5abd87fffa42647849da6459b5b59d93d048ee34599e910dee2b83b705391911c53f155a782605aaea73a83a6d613c735002aa85ea65f4a
SSDEEP

192:ScIMmtPf+CUG/bA3/w2OQEOrdlJFmQDZ7rhhap30mV:SPXumAOQzjJFmIZfhMFX

Score

10^/10

formbook sde7 rat spyware stealer trojan websettings

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://users@1806450061/..---------..--------------_----_______---_---______------------/...............................89.doc

Extracted

Family

formbook

Version

4.1

Campaign

sde7

Decoy

lolfilmfestival.com

pousdaobosque.com

tangierfilm.com

valuedassist.com

qcrluxuryrentals.com

poc4cloudx.com

irizh.art

flowsever.com

serios-lifestyle.com

abc-diomain.com

bmwoemwarehouse.com

vivelamoda.com

thesycorax.online

goodjob129.com

hudyeanamaze.com

pabcp.com

millennialworkouts.com

gpcr-compound-library.com

rotyupin.xyz

hnkcsm.com

Targets

- Target
  
  TTXdetails.docx.doc
- Size
  
  10KB
- MD5
  
  e732f54857ee57bebe19fb6f3954114c
- SHA1
  
  6932f2ffcea4f15a09ed8429a7cb26262c768197
- SHA256
  
  b90e4fcb8b30fcc380d1cfe733a29b0314af1b6354c23cd1b577c99826988e9d
- SHA512
  
  ad1d11415821d8dcf5abd87fffa42647849da6459b5b59d93d048ee34599e910dee2b83b705391911c53f155a782605aaea73a83a6d613c735002aa85ea65f4a
- SSDEEP
  
  192:ScIMmtPf+CUG/bA3/w2OQEOrdlJFmQDZ7rhhap30mV:SPXumAOQzjJFmIZfhMFX
Score

10^/10

formbook sde7 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbooksde7ratspywarestealertrojan

behavioral2