formbook

General

Target

PO-5299.xls
Size

389KB
Sample

240119-tpmzgaaah3
MD5

ca93ad9d9887663ed1afc2197b775268
SHA1

017bb90012dfa9fd9a6a05efd01d1d929e411039
SHA256

3a1b13e80cfd6e053f5a605e531c17a936a33fc5c5467e40be5a8845a2d2dbcb
SHA512

02278f911322f744155b59908b13fcb69fed701230921cdf3ae041ec1beafafb24322712025498925e192922203b3325e8e7896c156a489c43e992e8d02585af
SSDEEP

6144:6zcOPqGlSHBMixiMK6G+ZFrTUvCp4sJgKWQdywS26nd1WejItjFGDoo1Cz:6zBZlQpozwjTqCfgKFdyV2Qjc5GY

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

he09

Decoy

clhear.com

maythunguyen.com

xiongmaoaijia.com

kembangzadsloh.xyz

speedwagner.com

360bedroom.com

campereurorg.top

cwxg2.site

mcdlibre.live

globigprimecompanylimited.com

1707102023-stripe.com

xhfj5.site

mugiwaranousopp.xyz

texmasco.com

sc9999.net

lite.team

8xb898.com

cibecuetowing.top

mgplatinemlak.xyz

southwestharborkeyword.top

Targets

- Target
  
  PO-5299.xls
- Size
  
  389KB
- MD5
  
  ca93ad9d9887663ed1afc2197b775268
- SHA1
  
  017bb90012dfa9fd9a6a05efd01d1d929e411039
- SHA256
  
  3a1b13e80cfd6e053f5a605e531c17a936a33fc5c5467e40be5a8845a2d2dbcb
- SHA512
  
  02278f911322f744155b59908b13fcb69fed701230921cdf3ae041ec1beafafb24322712025498925e192922203b3325e8e7896c156a489c43e992e8d02585af
- SSDEEP
  
  6144:6zcOPqGlSHBMixiMK6G+ZFrTUvCp4sJgKWQdywS26nd1WejItjFGDoo1Cz:6zBZlQpozwjTqCfgKFdyV2Qjc5GY
Score

10^/10

formbook he09 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Blocklisted process makes network request

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2