Overview

overview

10

Static

static

ORDER.doc__.rtf

windows7-x64

10

ORDER.doc__.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER.doc__.rtf

  • Size

    31KB

  • Sample

    221208-m19jaacf9w

  • MD5

    a107106fb43e0ded99c1002938703532

  • SHA1

    4833ad7b724197c62db8535466366821942c3ed7

  • SHA256

    6e2449ed97a675583b51a2f9f67a2d576a97bf0ea8b780e82eb8bcc563cf9cc5

  • SHA512

    63a2375cfa7532ce0c6fcbb69695ef11b6e51de2d0e4d7c1ff7ddb2ba6b89c421b7b6e771088637326b5198f6d17941a964f7dfc3d5707319f92650e8af8cd87

  • SSDEEP

    768:aFx0XaIsnPRIa4fwJM869X+1+SVRDvYYmq+P6zQW5:af0Xvx3EMNxMTnxmpycW5

Score
10/10
formbookw086ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

w086

Decoy

F6jSz+l9QmYXguG/xUipf/6ixrik

cQZre8twfBVOOJgLenGTGA==

pG5kW2/wqwEOCVxZ

KORXeYwt7wF8J3BR

HL0ZdBMjeHet

TR57b4Yi6wJ8J3BR

fRyK2yaqeDRGHiQTTw==

RwhsqfRxABNZS59wenGTGA==

GuZaY4H4ahcWKjUdVg==

I5C4/Wyz3fglj+o=

Te5QPEu3NjZ0P58LenGTGA==

M9YJLwifZIi9pfnj2Nj/kA6+ZlU=

c/JFdRndG8f/HiQTTw==

nMmcD1UjeHet

QWR7+9Rh8/l8J3BR

9MD+BzOyI6mXtM4w6LMyEA==

WABgaYPqdJzl2TviGbdH

02OexRebqj3+U2kXhQ0=

j17M2R3/fQwFHiQTTw==

dQpReYss5/l8J3BR

Targets

    • Target

      ORDER.doc__.rtf

    • Size

      31KB

    • MD5

      a107106fb43e0ded99c1002938703532

    • SHA1

      4833ad7b724197c62db8535466366821942c3ed7

    • SHA256

      6e2449ed97a675583b51a2f9f67a2d576a97bf0ea8b780e82eb8bcc563cf9cc5

    • SHA512

      63a2375cfa7532ce0c6fcbb69695ef11b6e51de2d0e4d7c1ff7ddb2ba6b89c421b7b6e771088637326b5198f6d17941a964f7dfc3d5707319f92650e8af8cd87

    • SSDEEP

      768:aFx0XaIsnPRIa4fwJM869X+1+SVRDvYYmq+P6zQW5:af0Xvx3EMNxMTnxmpycW5

    Score
    10/10
    formbookw086ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks