formbook | 9b81d5a774c8e6ee7bceed2661e9f58b600c75aac7027d92521201a28b7882d7 | Triage

Sharing

General

Target

9b81d5a774c8e6ee7bceed2661e9f58b600c75aac7027d92521201a28b7882d7.xls
Size

1.1MB
Sample

221203-bkvveaca48
MD5

47325c14fe5c22486ed25c43367779ba
SHA1

17a51494cd6492da17d15b40562ba223118c31f0
SHA256

9b81d5a774c8e6ee7bceed2661e9f58b600c75aac7027d92521201a28b7882d7
SHA512

81cda215b8e823836d9848a283ccb8429887a6558a5a915c65a2f67023f129251c850e6a2e00d50995fc8d171c353c44062b778dba7c73fd583f39b7d476b0ce
SSDEEP

24576:6L7yir5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXXmBr5XXXXXXXXXXXXUXXXXXXXSXx:G2adxl4T

Score

10^/10

formbook codp rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

codp

Decoy

WLwbp9IgDF0DRbuq

oNQ7DHBzVHVMTxxxFCORk65Z5w==

eKyDm2P0S8i8tXrGSRxyN/GB+g==

DWLDupksnDvfKi7Q7PI=

JAaYbOFx1G0f4pcM36gDB3YaG796

KWQ71Z4U7+2Nv8K72OXED5M9oe8=

YJpvEHW5TU/wL02R9TiN0A==

tpQX78fPprFMi7ocSgXfUNYKpTq33Icp

a9Z0eju3FKFA/YBy+MQfG3QaG796

uQzt58fSssDUenxacQCY2g==

vijGzYPYOfi2gxZLhlbA

kZfzlQg7IGPxc29BJA==

dcQu+blQlxGyZu7qw5P4L6s=

TTIXAcXMr85yqqvxWBMqdrw=

xZb/tyGC8sOjIS7Q7PI=

KnzenvO+cXkVS3biKfRDwJ9Q5Q==

ZqZvDt9+yYxqh1Si

vZD8CtVZigY/cqnmLA==

QJy2dd/p0MO1Ji7Q7PI=

l+Hmoea3jsiAcqnmLA==

Targets

- Target
  
  9b81d5a774c8e6ee7bceed2661e9f58b600c75aac7027d92521201a28b7882d7.xls
- Size
  
  1.1MB
- MD5
  
  47325c14fe5c22486ed25c43367779ba
- SHA1
  
  17a51494cd6492da17d15b40562ba223118c31f0
- SHA256
  
  9b81d5a774c8e6ee7bceed2661e9f58b600c75aac7027d92521201a28b7882d7
- SHA512
  
  81cda215b8e823836d9848a283ccb8429887a6558a5a915c65a2f67023f129251c850e6a2e00d50995fc8d171c353c44062b778dba7c73fd583f39b7d476b0ce
- SSDEEP
  
  24576:6L7yir5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXXmBr5XXXXXXXXXXXXUXXXXXXXSXx:G2adxl4T
Score

10^/10

formbook codp rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcodpratspywarestealertrojan

behavioral2