formbook

General

Target

Samples.doc
Size

11KB
Sample

220926-lgc6asbebn
MD5

bd0fc8c16b9edecf1c96615d618b5d8a
SHA1

1d86cfb479d59aa231dea6c39e4e4be93d2f6ef7
SHA256

7c12c16cc778599d1ab51364a58b918ec66186ae0c001f70802c6fa067512ffd
SHA512

1c91f70b04693dd1d9b9f69bbe0716a013427a9db36a4ee4be94677076b0e3a20a14786ebeb79d917aa07e3f2bbb44341565ab87f9aafccfdf6be1120046644e
SSDEEP

96:gNIN6gD/52yCtUjTn8nEt1g8Y7380ehNQP6X5JkHF1hfA0X4HXGgWMU2rFc5g7Zc:mgh2yjjT8EtW3TA04iWJc5g7pV3PCDZR

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

dmpz

Decoy

g6nVYcuLqoVCBunEXBXJ6w3fWQ==

ZcvMXCXftOLl

7llPyUdY6SDW+0jFjBhH6w3fWQ==

oNlI65OL5t6RGejebRdKsAjXGtsK8A==

kU64X5biR3AzyCEnlw==

dHWevaYxywS6e4PXkxhTtP/UGtsK8A==

tucfwSpD6EgygeItq7/COFAbH9E=

tSbx9dJa7CjaS9i1c3d4ImUJ

IlWSNsSPqt6mcQ3d

e0GDBU2jsOzL5OKBIzg=

N83IzuJUqu7g3+KBIzg=

nbC4xt55DmBKL0xV4GLW6w3fWQ==

Tk99naENrAzQj1piGbcl

6043tio61grD5OKBIzg=

HvXh6PMok+vZE1qjJUJClgSk+PAr1skh

JDtEXxkexjYzc+Bwc3Yt

sl+jPuCtSKWIyeKBIzg=

+eXvDCFojnwd9P79cBrQ6w3fWQ==

UfksRCdag5cHMXc=

7OW2uH1YngQA92VbLtpaRLmO/5JOL6k=

Targets

- Target
  
  Samples.doc
- Size
  
  11KB
- MD5
  
  bd0fc8c16b9edecf1c96615d618b5d8a
- SHA1
  
  1d86cfb479d59aa231dea6c39e4e4be93d2f6ef7
- SHA256
  
  7c12c16cc778599d1ab51364a58b918ec66186ae0c001f70802c6fa067512ffd
- SHA512
  
  1c91f70b04693dd1d9b9f69bbe0716a013427a9db36a4ee4be94677076b0e3a20a14786ebeb79d917aa07e3f2bbb44341565ab87f9aafccfdf6be1120046644e
- SSDEEP
  
  96:gNIN6gD/52yCtUjTn8nEt1g8Y7380ehNQP6X5JkHF1hfA0X4HXGgWMU2rFc5g7Zc:mgh2yjjT8EtW3TA04iWJc5g7pV3PCDZR
Score

10^/10

formbook dmpz rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2