formbook | aa47725c6f6cc10c7fb0cf630272d34456bf7eb49922fde230dbdd352819dffc | Triage

Resubmissions

16-02-2023 22:10

230216-13ezcacc92 10

16-02-2023 21:46

230216-1mmz1sbh3t 10

Sharing

General

Target

CONTRACT 2023.docx
Size

10KB
Sample

230216-1mmz1sbh3t
MD5

db41e48f7d56dbc3543d29270b14f41a
SHA1

3561319bfedaa64e9468a8c452013e9a757fd111
SHA256

aa47725c6f6cc10c7fb0cf630272d34456bf7eb49922fde230dbdd352819dffc
SHA512

ac9a9fdf069235b07539b89b85dcfa8be4fd2d306cea4139d8bb29c75c02cd852d3532701cd9b17086eb29cc9009818a37749001b527d53891f07d4c4a7ba03a
SSDEEP

192:ScIMmtP5hG/b7XN+eOY/O+5+5F7Jar/YEChI35OJ:SPXRE7XtOY/7wtar/YECO5C

Score

10^/10

formbook ho62 rat spyware stealer trojan websettings

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http:/QQQQWWWWQWWWWQWWQWQWQWQQWQWQQWQWQWQWQWQWQWQQQQQQQQOQQQQQOOOOOOOOQOQQQQOQOQOQOQOQOQQWWWWQWQWQWQWQWQWQWQWQQWQ@1332625003/O_O.DOC

Extracted

Family

formbook

Version

4.1

Campaign

ho62

Decoy

aqawonky.com

ancachsroadsideassistance.com

artologycreatlive.com

olesinfo.africa

lovebreatheandsleep.com

friendsofdragonsprings.com

homecomingmums.wiki

hg222.bet

precision-spares.co.uk

generalhospitaleu.africa

touchstone4x4.africa

dynamator.com

dental-implants-52531.com

efefear.buzz

bentonapp.net

89luxu.com

bridgesonelm.com

acesaigon.online

instantapprovals.loans

evuniverso.com

Targets

- Target
  
  CONTRACT 2023.docx
- Size
  
  10KB
- MD5
  
  db41e48f7d56dbc3543d29270b14f41a
- SHA1
  
  3561319bfedaa64e9468a8c452013e9a757fd111
- SHA256
  
  aa47725c6f6cc10c7fb0cf630272d34456bf7eb49922fde230dbdd352819dffc
- SHA512
  
  ac9a9fdf069235b07539b89b85dcfa8be4fd2d306cea4139d8bb29c75c02cd852d3532701cd9b17086eb29cc9009818a37749001b527d53891f07d4c4a7ba03a
- SSDEEP
  
  192:ScIMmtP5hG/b7XN+eOY/O+5+5F7Jar/YEChI35OJ:SPXRE7XtOY/7wtar/YECO5C
Score

10^/10

formbook ho62 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookho62ratspywarestealertrojan

behavioral2