formbook | 6e2449ed97a675583b51a2f9f67a2d576a97bf0ea8b780e82eb8bcc563cf9cc5 | Triage

Sharing

General

Target

ORDER.doc__.rtf
Size

31KB
Sample

221208-m19jaacf9w
MD5

a107106fb43e0ded99c1002938703532
SHA1

4833ad7b724197c62db8535466366821942c3ed7
SHA256

6e2449ed97a675583b51a2f9f67a2d576a97bf0ea8b780e82eb8bcc563cf9cc5
SHA512

63a2375cfa7532ce0c6fcbb69695ef11b6e51de2d0e4d7c1ff7ddb2ba6b89c421b7b6e771088637326b5198f6d17941a964f7dfc3d5707319f92650e8af8cd87
SSDEEP

768:aFx0XaIsnPRIa4fwJM869X+1+SVRDvYYmq+P6zQW5:af0Xvx3EMNxMTnxmpycW5

Score

10^/10

formbook w086 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

w086

Decoy

F6jSz+l9QmYXguG/xUipf/6ixrik

cQZre8twfBVOOJgLenGTGA==

pG5kW2/wqwEOCVxZ

KORXeYwt7wF8J3BR

HL0ZdBMjeHet

TR57b4Yi6wJ8J3BR

fRyK2yaqeDRGHiQTTw==

RwhsqfRxABNZS59wenGTGA==

GuZaY4H4ahcWKjUdVg==

I5C4/Wyz3fglj+o=

Te5QPEu3NjZ0P58LenGTGA==

M9YJLwifZIi9pfnj2Nj/kA6+ZlU=

c/JFdRndG8f/HiQTTw==

nMmcD1UjeHet

QWR7+9Rh8/l8J3BR

9MD+BzOyI6mXtM4w6LMyEA==

WABgaYPqdJzl2TviGbdH

02OexRebqj3+U2kXhQ0=

j17M2R3/fQwFHiQTTw==

dQpReYss5/l8J3BR

Targets

- Target
  
  ORDER.doc__.rtf
- Size
  
  31KB
- MD5
  
  a107106fb43e0ded99c1002938703532
- SHA1
  
  4833ad7b724197c62db8535466366821942c3ed7
- SHA256
  
  6e2449ed97a675583b51a2f9f67a2d576a97bf0ea8b780e82eb8bcc563cf9cc5
- SHA512
  
  63a2375cfa7532ce0c6fcbb69695ef11b6e51de2d0e4d7c1ff7ddb2ba6b89c421b7b6e771088637326b5198f6d17941a964f7dfc3d5707319f92650e8af8cd87
- SSDEEP
  
  768:aFx0XaIsnPRIa4fwJM869X+1+SVRDvYYmq+P6zQW5:af0Xvx3EMNxMTnxmpycW5
Score

10^/10

formbook w086 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookw086ratspywarestealertrojan

behavioral2