formbook | faa9c6e03a97635e6636c22e85ed3fbc128c047d25fbb6d1cd3eb599c286ad74 | Triage

Sharing

General

Target

purchaseOrder_list_(P.O_R477304).xls
Size

1.0MB
Sample

221128-vajh6saa82
MD5

1c741a897b190b202783b317d1bb61d2
SHA1

a64f0312d4cd51cf061170384d2e54aa4f70e6c3
SHA256

faa9c6e03a97635e6636c22e85ed3fbc128c047d25fbb6d1cd3eb599c286ad74
SHA512

3c1726e895c5f0e772370403f0fcae53e500c6607d994a88335180aa4619538a07f31b24b2f9049423b3592b6761c83e7dfd56a5004c61d54fb1ad8b2f1bede0
SSDEEP

24576:Jr5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXzmzr5XXXXXXXXXXXXUXXXXXXXSXXXXXl:Ueg9qu

Score

10^/10

formbook pgnt rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Targets

- Target
  
  purchaseOrder_list_(P.O_R477304).xls
- Size
  
  1.0MB
- MD5
  
  1c741a897b190b202783b317d1bb61d2
- SHA1
  
  a64f0312d4cd51cf061170384d2e54aa4f70e6c3
- SHA256
  
  faa9c6e03a97635e6636c22e85ed3fbc128c047d25fbb6d1cd3eb599c286ad74
- SHA512
  
  3c1726e895c5f0e772370403f0fcae53e500c6607d994a88335180aa4619538a07f31b24b2f9049423b3592b6761c83e7dfd56a5004c61d54fb1ad8b2f1bede0
- SSDEEP
  
  24576:Jr5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXzmzr5XXXXXXXXXXXXUXXXXXXXSXXXXXl:Ueg9qu
Score

10^/10

formbook pgnt rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookpgntratspywarestealertrojan

behavioral2