Overview

overview

10

Static

static

1

3abfcd5069...fd.rtf

windows7-x64

10

3abfcd5069...fd.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3abfcd50698f63ec13889697874b0dfd.rtf

  • Size

    23KB

  • Sample

    230608-e9yjdacf7s

  • MD5

    3abfcd50698f63ec13889697874b0dfd

  • SHA1

    10934d356d6bf22b54fea6249d80f749ad746c8a

  • SHA256

    f287d933ff17b3591ddd689172c4d8964644bf3740ac8d9418365b3b97c51c2b

  • SHA512

    e8cad2f9364852d1ef74437a99d2d77808a825504a804f6fe50733493459214d3613bcbe56defa04e2b1d18d3ec0ee10656c1f5c0a51ded6949923650867c441

  • SSDEEP

    384:PL8yqfpijwB6fPIsKTT9gNUXDVfcwBbCvdHHWvhdCT7TuEUiVW0+T2J11ArdNWAn:j8yqfpiJnZKTT9gNQDVfcwBbqdH2vhdv

Score
10/10
formbookxchuratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

xchu

Decoy

zcartoons.com

castilloshowroom.com

3bmmdtod.life

misaxoxo.com

nadiya.online

sykkbup29.xyz

triciaaprimrosevp.com

newleter.com

ptzslk.xyz

lightbulbfestival.com

texaslandline.com

ideeintemporelle.com

girljustdoitpodcast.com

medimediamarketing.com

bunk7outfitters.com

charlievgrfminnick.click

lifestyleinthehome.com

atfbestsale.online

frontdoorproperties.co.uk

grandpaswag2024.info

Targets

    • Target

      3abfcd50698f63ec13889697874b0dfd.rtf

    • Size

      23KB

    • MD5

      3abfcd50698f63ec13889697874b0dfd

    • SHA1

      10934d356d6bf22b54fea6249d80f749ad746c8a

    • SHA256

      f287d933ff17b3591ddd689172c4d8964644bf3740ac8d9418365b3b97c51c2b

    • SHA512

      e8cad2f9364852d1ef74437a99d2d77808a825504a804f6fe50733493459214d3613bcbe56defa04e2b1d18d3ec0ee10656c1f5c0a51ded6949923650867c441

    • SSDEEP

      384:PL8yqfpijwB6fPIsKTT9gNUXDVfcwBbCvdHHWvhdCT7TuEUiVW0+T2J11ArdNWAn:j8yqfpiJnZKTT9gNQDVfcwBbqdH2vhdv

    Score
    10/10
    formbookxchuratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks