formbook | 266fe6d2cf821cc2615448990b72401ee2772b8f8548e96482c2e9697e694f76 | Triage

Sharing

General

Target

ORDER.docx
Size

10KB
Sample

221129-me8d4adc5x
MD5

4a703e4cdcdb820ba8fb7a4885944e83
SHA1

9161b9fa57542ccd1857597e5e13e2ad89dbd2bf
SHA256

266fe6d2cf821cc2615448990b72401ee2772b8f8548e96482c2e9697e694f76
SHA512

278b9ce372564d1de8227fdd724d4934522ecb5c814316058d4cf663593ef4cd2278b285e9543948e0089cca732e5bcf86fe92e6994a0e5669d0770f38512365
SSDEEP

192:ScIMmtP8ar5G/bfIdTO2namWBX8ex6y3dvR:SPXt4ATO2nosMdp

Score

10^/10

formbook dcn0 rat spyware stealer trojan websettings

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://0000000000100000000010000000000000010000000000000001000@185.216.71.16/ewe/document_0944000039.doc

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Targets

- Target
  
  ORDER.docx
- Size
  
  10KB
- MD5
  
  4a703e4cdcdb820ba8fb7a4885944e83
- SHA1
  
  9161b9fa57542ccd1857597e5e13e2ad89dbd2bf
- SHA256
  
  266fe6d2cf821cc2615448990b72401ee2772b8f8548e96482c2e9697e694f76
- SHA512
  
  278b9ce372564d1de8227fdd724d4934522ecb5c814316058d4cf663593ef4cd2278b285e9543948e0089cca732e5bcf86fe92e6994a0e5669d0770f38512365
- SSDEEP
  
  192:ScIMmtP8ar5G/bfIdTO2namWBX8ex6y3dvR:SPXt4ATO2nosMdp
Score

10^/10

formbook dcn0 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookdcn0ratspywarestealertrojan

behavioral2