formbook

General

Target

SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.9690.14807.rtf
Size

864KB
Sample

220926-rhvpmacbhm
MD5

027e492f7ceb4cf8023d311602434de3
SHA1

5b5a739f5688ce1154a2a4af2de1e9db8854294d
SHA256

5ddfcee976daf1f71a8b1f41a4dd170e80683b2e79d48e312d6010f941de148f
SHA512

bd63344081b7b35e9519b40744aae0af19e5f0a23472696db4f7dcabf2c45c90dd59ac471512aca438e37934d361afd5a8d72cca4ec483b2083cde7140fb3b5d
SSDEEP

1536:kpGEch6dtRGWbCtpl5kmrJ//RFxXxBpzB9TBtiBqK8Qf6YXkY0kY0kY92i3e+6fV:gho

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n25n

Decoy

counterblast-stately.net

anhuiluan.xyz

searchscrealestate.com

ipfsvault.com

q2307.com

doingout.com

empyreanaudio.com

defectivehomes.info

intlword.online

costumeking.kiwi

backachersalpacas.com

kellysheros.directory

mtbscecure.net

realestateprogression.com

shengmimama.com

sdftsb.com

ghafouli165.online

effexorbuy.top

flipgrill.store

nevadatechhelp.com

Targets

- Target
  
  SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.9690.14807.rtf
- Size
  
  864KB
- MD5
  
  027e492f7ceb4cf8023d311602434de3
- SHA1
  
  5b5a739f5688ce1154a2a4af2de1e9db8854294d
- SHA256
  
  5ddfcee976daf1f71a8b1f41a4dd170e80683b2e79d48e312d6010f941de148f
- SHA512
  
  bd63344081b7b35e9519b40744aae0af19e5f0a23472696db4f7dcabf2c45c90dd59ac471512aca438e37934d361afd5a8d72cca4ec483b2083cde7140fb3b5d
- SSDEEP
  
  1536:kpGEch6dtRGWbCtpl5kmrJ//RFxXxBpzB9TBtiBqK8Qf6YXkY0kY0kY92i3e+6fV:gho
Score

10^/10

formbook n25n rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Formbook payload
  rat
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Suspicious use of NtCreateUserProcessOtherParentProcess

Formbook payload

Blocklisted process makes network request

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2