formbook | 54929de588e37191bfc6dd0bf4f3edc1fca58c67af0e6bc7b1bd15a66d8c1bf0 | Triage

Sharing

General

Target

SOAPO8829921199.xlsm
Size

165KB
Sample

240904-rz7qhsscjn
MD5

c0a096ce5928bce34fffd5874093f235
SHA1

971a8fbd841e42dcab84288205525b89301825c2
SHA256

54929de588e37191bfc6dd0bf4f3edc1fca58c67af0e6bc7b1bd15a66d8c1bf0
SHA512

9d7c5aaf2fe546422ff3379169909929ec50f6eebba27d527178066c943ea2973a72c7501202b9502c8ccd646dfe6b49c1194c34b8f9822404bf1fad6971eb61
SSDEEP

3072:BJNjJehd8PiRjkctohQQRBK0BvyixmZ49ke+jJLNkYa6+Rc64d:BJN06iactuRbB6M9+1GYaza64d

Score

10^/10

formbook t20u discovery execution macro rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t20u

Decoy

ecurity-jobs-ne-00989.bond

ameuniverse.shop

sychologist-therapy-33393.bond

refabricated-homes-33099.bond

urltheswirl.live

reengroce.online

cknowledgewizardinter14.sbs

excasino.club

931.bet

ilehog.net

olorandbrush.net

jpbbmr.biz

vtwenty20pt.top

nline-advertising-76521.bond

eavenresidence.net

arodyna.shop

orsi-di-massaggio.bond

est-kids-toys-near-me.today

47-nurse-76671.bond

u-suppr.top

Targets

- Target
  
  SOAPO8829921199.xlsm
- Size
  
  165KB
- MD5
  
  c0a096ce5928bce34fffd5874093f235
- SHA1
  
  971a8fbd841e42dcab84288205525b89301825c2
- SHA256
  
  54929de588e37191bfc6dd0bf4f3edc1fca58c67af0e6bc7b1bd15a66d8c1bf0
- SHA512
  
  9d7c5aaf2fe546422ff3379169909929ec50f6eebba27d527178066c943ea2973a72c7501202b9502c8ccd646dfe6b49c1194c34b8f9822404bf1fad6971eb61
- SSDEEP
  
  3072:BJNjJehd8PiRjkctohQQRBK0BvyixmZ49ke+jJLNkYa6+Rc64d:BJN06iactuRbB6M9+1GYaza64d
Score

10^/10

discovery execution formbook t20u rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Formbook payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

formbookt20udiscoveryexecutionratspywarestealertrojan