Overview

overview

10

Static

static

1

e230816a29...62.rtf

windows7-x64

10

e230816a29...62.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e230816a29bb8af0b5f24adfbe5eff62.rtf

  • Size

    25KB

  • Sample

    230608-e9yjdacf61

  • MD5

    e230816a29bb8af0b5f24adfbe5eff62

  • SHA1

    841fb495cc824fb043d1be3f033326294745dfff

  • SHA256

    061eab00aca9bb4dc4a164c23f0ec24b805eaff6bd597b45601bde2958744ca3

  • SHA512

    8af309043b6af0b9bae704071b643b9df4cd681e855a897cad25f0dff3113fae0a97810283bc16b0988280f47307f51c5f5669288ee5f07f8a56c63f4d52dca7

  • SSDEEP

    768:XJnxqg/d7sWctQS0vZJ7UtnZlo2QLdWX2tibZqSA0:1xJ7sWcEf7gnc7QX3/A0

Score
10/10
formbookguloaderxchudownloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

xchu

Decoy

zcartoons.com

castilloshowroom.com

3bmmdtod.life

misaxoxo.com

nadiya.online

sykkbup29.xyz

triciaaprimrosevp.com

newleter.com

ptzslk.xyz

lightbulbfestival.com

texaslandline.com

ideeintemporelle.com

girljustdoitpodcast.com

medimediamarketing.com

bunk7outfitters.com

charlievgrfminnick.click

lifestyleinthehome.com

atfbestsale.online

frontdoorproperties.co.uk

grandpaswag2024.info

Targets

    • Target

      e230816a29bb8af0b5f24adfbe5eff62.rtf

    • Size

      25KB

    • MD5

      e230816a29bb8af0b5f24adfbe5eff62

    • SHA1

      841fb495cc824fb043d1be3f033326294745dfff

    • SHA256

      061eab00aca9bb4dc4a164c23f0ec24b805eaff6bd597b45601bde2958744ca3

    • SHA512

      8af309043b6af0b9bae704071b643b9df4cd681e855a897cad25f0dff3113fae0a97810283bc16b0988280f47307f51c5f5669288ee5f07f8a56c63f4d52dca7

    • SSDEEP

      768:XJnxqg/d7sWctQS0vZJ7UtnZlo2QLdWX2tibZqSA0:1xJ7sWcEf7gnc7QX3/A0

    Score
    10/10
    formbookguloaderxchudownloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks