formbook

General

Target

QUOTE 367490.xls
Size

1.4MB
Sample

230721-gpqn5sch5t
MD5

affd47cfa5f9b6138138bbcf3d9bd01a
SHA1

09f8d0372d30cee602b51543fb1e47e41bf99146
SHA256

3631cef235754ade0b7e46898abd5c69f736439897e28b16c141b3e1c8780389
SHA512

d2d05d70343f55f307989cb1f34d02255b80bb8181b3b230ae4d582cc5b2a6ed73f53ee40790266b2e4cf114913dbc6a0b5ef8a4aaded7f945dd1d39edb5f6c0
SSDEEP

24576:K9u9VNZylw6VMOZymw6VqViNhuuvvtg3oqVUbXQwNgZffsLMy5w/x:K9uPR6VMYe6VCiNhv3tsMXXNhLr5E

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ms14

Decoy

adjoinstaff.online

kmmdznky.cfd

keyviewgroup.com

kidomarketing.com

jroxtqpq.cfd

jdevmx.com

genqaagz.cfd

1cdpwp.cfd

francegoldvip.com

2qy218.xyz

peterscanner.com

trullys.com

aniwatch.top

windyhillcnc.com

pokazhu.com

r74jsy.cfd

paulgadgets.com

lindanewtee.com

lasik-de-de-8808230.zone

critone.site

Targets

- Target
  
  QUOTE 367490.xls
- Size
  
  1.4MB
- MD5
  
  affd47cfa5f9b6138138bbcf3d9bd01a
- SHA1
  
  09f8d0372d30cee602b51543fb1e47e41bf99146
- SHA256
  
  3631cef235754ade0b7e46898abd5c69f736439897e28b16c141b3e1c8780389
- SHA512
  
  d2d05d70343f55f307989cb1f34d02255b80bb8181b3b230ae4d582cc5b2a6ed73f53ee40790266b2e4cf114913dbc6a0b5ef8a4aaded7f945dd1d39edb5f6c0
- SSDEEP
  
  24576:K9u9VNZylw6VMOZymw6VqViNhuuvvtg3oqVUbXQwNgZffsLMy5w/x:K9uPR6VMYe6VCiNhv3tsMXXNhLr5E
Score

10^/10

formbook ms14 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Blocklisted process makes network request

Downloads MZ/PE file

Checks QEMU agent file

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2