formbook

General

Target

fdd8c54cb9c4249532e2e00910c8ff36.rtf
Size

43KB
Sample

230712-gwfshsdb3z
MD5

fdd8c54cb9c4249532e2e00910c8ff36
SHA1

a63ab26f4adde349872fd4785449b76d74f8592c
SHA256

2187745dcc704a8e203aa138a9a6f63f1ffe5ebb08129899cdec638ab48b7e41
SHA512

62266f92bd5bb49545b6db4a5e4ae357e564762c89757580b7e0ea9b63bf6800e17df5a2ef503ed11b43ec49feede9ac51def550d141deb3b8467012445152bd
SSDEEP

768:EFx0XaIsnPRIa4fwJMrwEm2eY+UIAntUvQTd9zS4VDPThO0af7oK:Ef0Xvx3EMcEBeynxHzS49PVO0ajoK

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mf6w

Decoy

shiftfailure.com

wjfglobal.com

gongfuteahouse.com

kocaalivilla.com

atlheadshotphoto.com

dppop.com

padokhep.com

localventuremarketing.com

5zh3ang.com

okminisip.com

houseofmanus.com

6339777.com

fabitgood.com

yaboleyuvip9.com

abbia-group.com

tearsofthekingdomrecipes.com

ukpornagency.com

hangar18lab.com

diamond-manpower.com

yourfrancoach.com

Extracted

Family

formbook

Campaign

mf6w

Decoy

shiftfailure.com

wjfglobal.com

gongfuteahouse.com

kocaalivilla.com

atlheadshotphoto.com

dppop.com

padokhep.com

localventuremarketing.com

5zh3ang.com

okminisip.com

houseofmanus.com

6339777.com

fabitgood.com

yaboleyuvip9.com

abbia-group.com

tearsofthekingdomrecipes.com

ukpornagency.com

hangar18lab.com

diamond-manpower.com

yourfrancoach.com

Targets

- Target
  
  fdd8c54cb9c4249532e2e00910c8ff36.rtf
- Size
  
  43KB
- MD5
  
  fdd8c54cb9c4249532e2e00910c8ff36
- SHA1
  
  a63ab26f4adde349872fd4785449b76d74f8592c
- SHA256
  
  2187745dcc704a8e203aa138a9a6f63f1ffe5ebb08129899cdec638ab48b7e41
- SHA512
  
  62266f92bd5bb49545b6db4a5e4ae357e564762c89757580b7e0ea9b63bf6800e17df5a2ef503ed11b43ec49feede9ac51def550d141deb3b8467012445152bd
- SSDEEP
  
  768:EFx0XaIsnPRIa4fwJMrwEm2eY+UIAntUvQTd9zS4VDPThO0af7oK:Ef0Xvx3EMcEBeynxHzS49PVO0ajoK
Score

10^/10

formbook mf6w rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Formbook payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2