formbook

General

Target

Stocklist.doc__.rtf
Size

1.1MB
Sample

221011-kapp3sebeq
MD5

bd80accc4a1535d881c3b33d187f1eb5
SHA1

e68efac7e694a36e6effa9d4ff5450a9c4b23c90
SHA256

f94a50338954420bb77446d6962361193e5cfde7264e4554a64fc38444fc029c
SHA512

9e813b58cc26b8f1da4a24b6932f12fdac7326990a4eb7ac0ee0b52b5881c16c84816e020ba140dce32f8a048ee4c8ff60d4bb879a47bd3aa5c08c5b68b92c03
SSDEEP

1536:bJ/pGEch6dtRGWbCtpl5kmrJ//RFxXxBpzB9TBtiBqK8Qf6YXkY0kY0kY92i3e+z:FHf

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o07o

Decoy

bestofleak6969.fun

tupigo.net

hsy-ltd.com

stockfraudalerts.net

huelink.net

mode24.shop

monzon-consulting.com

ok184.shop

iamhighvalue.com

nitrosmith.com

28729.top

clovegiftcards.site

heront.online

healthimpactstudio.net

mitdam.com

ultravuelos.com

vip-tehnology.live

yogainbaja.com

adoweb.net

customketodiets.info

Targets

- Target
  
  Stocklist.doc__.rtf
- Size
  
  1.1MB
- MD5
  
  bd80accc4a1535d881c3b33d187f1eb5
- SHA1
  
  e68efac7e694a36e6effa9d4ff5450a9c4b23c90
- SHA256
  
  f94a50338954420bb77446d6962361193e5cfde7264e4554a64fc38444fc029c
- SHA512
  
  9e813b58cc26b8f1da4a24b6932f12fdac7326990a4eb7ac0ee0b52b5881c16c84816e020ba140dce32f8a048ee4c8ff60d4bb879a47bd3aa5c08c5b68b92c03
- SSDEEP
  
  1536:bJ/pGEch6dtRGWbCtpl5kmrJ//RFxXxBpzB9TBtiBqK8Qf6YXkY0kY0kY92i3e+z:FHf
Score

10^/10

formbook o07o rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Formbook payload
  rat
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Suspicious use of NtCreateUserProcessOtherParentProcess

Formbook payload

Blocklisted process makes network request

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2