Overview

overview

10

Static

static

1

39669a47b5...f9.rtf

windows7-x64

10

39669a47b5...f9.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    39669a47b553f5d6b3ed6b730d7852f9.rtf

  • Size

    22KB

  • Sample

    230608-fx5btsda3z

  • MD5

    39669a47b553f5d6b3ed6b730d7852f9

  • SHA1

    74b365ae0dc316eee5de6df5911019cabe512efb

  • SHA256

    8e353c1f1a7b0ddea3289b04cb2fb2bde6eacb21298cca8a0c2af37081e5be8d

  • SHA512

    1efae6c19e86d02904b25cc4de9fb9114268ecc82d3743900e6057dc10a82db6286438dd21a534a59e8ed60597d198b3392a6e8c4a1fa5ce4116fa311da64a7b

  • SSDEEP

    384:d8eKvpZlj7bLrJU/Wx1mEIZBFhqeq/d7SZ7DPvZ5pfiZcp2k4V7qQsqG14uT+hS1:dBeZljnLrJUOx180luZfp3p2kA7q1qED

Score
10/10
formbookguloadergtt8downloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gtt8

Decoy

42taijijian.com

rehnimiyanales.com

cst247.shop

usdt09.tech

lennartjahn.com

aaabestcbd.com

marketing-digital-france-2.xyz

be4time.com

slotyfly.com

parimaladragonflywellness.life

phonereda.com

01076.win

thehoundlounge.info

high-vent.co.uk

14thfeb.com

onlyforks.info

joseeandtim.com

mylegoclub.com

iuser-findmy.info

uninassaupolopinheiro.com

Targets

    • Target

      39669a47b553f5d6b3ed6b730d7852f9.rtf

    • Size

      22KB

    • MD5

      39669a47b553f5d6b3ed6b730d7852f9

    • SHA1

      74b365ae0dc316eee5de6df5911019cabe512efb

    • SHA256

      8e353c1f1a7b0ddea3289b04cb2fb2bde6eacb21298cca8a0c2af37081e5be8d

    • SHA512

      1efae6c19e86d02904b25cc4de9fb9114268ecc82d3743900e6057dc10a82db6286438dd21a534a59e8ed60597d198b3392a6e8c4a1fa5ce4116fa311da64a7b

    • SSDEEP

      384:d8eKvpZlj7bLrJU/Wx1mEIZBFhqeq/d7SZ7DPvZ5pfiZcp2k4V7qQsqG14uT+hS1:dBeZljnLrJUOx180luZfp3p2kA7q1qED

    Score
    10/10
    formbookguloadergtt8downloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks