{ "Event": { "analysis": "1", "date": "2026-04-20", "extends_uuid": "", "info": "[Threat Intel] FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript", "protected": false, "publish_timestamp": "1779544407", "published": true, "threat_level_id": "3", "timestamp": "1779544406", "uuid": "31bcaddb-339a-4f7f-987f-62d10cf45073", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Shared Modules - T1129\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#4bc785", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#e22a4a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credential API Hooking - T1056.004\"", "relationship_type": "" }, { "colour": "#7c8061", "local": false, "name": "misp-galaxy:target-information=\"Bosnia and Herzegovina\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Greece\"", "relationship_type": "" }, { "colour": "#c62adc", "local": false, "name": "misp-galaxy:target-information=\"Slovenia\"", "relationship_type": "" }, { "colour": "#f439e5", "local": false, "name": "misp-galaxy:target-information=\"Spain\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Formbook\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776913220", "to_ids": false, "type": "link", "uuid": "8ad49b93-43c3-41b2-980d-92eb61c9c241", "value": "https://www.watchguard.com/wgrd-security-hub/secplicity-blog/formbook-malware-analysis-phishing-campaigns-use-dll-side-loading", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776913220", "to_ids": false, "type": "text", "uuid": "55c94c3e-9a36-4bd1-8325-0d6b1cee8d7d", "value": "Two distinct phishing campaigns have been identified targeting companies in Greece, Spain, Slovenia, Bosnia and Central American countries to deliver FormBook data-stealing malware. The first campaign uses RAR attachments containing legitimate executables like Sandboxie ImBox.exe, TikTok desktop, Adobe PDF Preview Handler, and XZ Utils, exploiting DLL side-loading with malicious DLL files. The second campaign deploys heavily obfuscated JavaScript that drops encrypted PNG files, uses PowerShell with Base64 encoding, and leverages a custom .NET loader called Mandark to inject the payload into RegAsm process. Both campaigns deliver the same FormBook executable that employs advanced evasion by manually mapping ntdll.dll in memory to bypass user-mode monitoring and perform direct syscalls, enabling credential theft and data collection from browsers while avoiding detection mechanisms." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776913220", "to_ids": false, "type": "text", "uuid": "4e21246c-9246-47c5-bdc2-7d6ee0ce2b70", "value": "Name: FormBook Malware Uses Phishing, DLL Side-Loading, JavaScript\nAuthor: AlienVault\nAdversary: \nTags: [\"formbook\", \"mandark\", \"syscall evasion\", \"obfuscated javascript\", \"data-stealing\", \"panthomvai\", \"mandark loader\", \"ntdll mapping\", \"phishing campaigns\", \"dll side-loading\"]\nTgtd countries: [\"Bosnia and Herzegovina\", \"Greece\", \"Slovenia\", \"Spain\"]\nMlwr families: [\"FormBook\", \"Mandark\", \"PanthomVAI\"]\nAttack_ids: [\"T1113\", \"T1129\", \"T1059.007\", \"T1539\", \"T1566.001\", \"T1071\", \"T1106\", \"T1140\", \"T1055\", \"T1555.003\", \"T1497\", \"T1059.001\", \"T1055.012\", \"T1027\", \"T1573\", \"T1574.002\", \"T1056.004\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:27/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544406", "to_ids": true, "type": "md5", "uuid": "8a508170-7551-4ebf-95db-1d61bf5166f8", "value": "ab0d213d4df3de06bbd2db524fb73282", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544399", "uuid": "bf1bd835-6548-4297-bda0-c72ac5535cdb", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544399", "to_ids": true, "type": "md5", "uuid": "9f845bd6-5366-4d33-b72d-71ca82fe602b", "value": "9601283e3153779f5a7e845365fdd87d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544399", "to_ids": true, "type": "sha1", "uuid": "5b642dde-25ed-4c5f-a5cd-44a58ff03548", "value": "3d1eaf0777aac4c76ff406b9ecf82af7d045b8f3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544399", "to_ids": true, "type": "sha256", "uuid": "06314c5e-57d4-4a13-be98-fedbcc88cb20", "value": "4140d26ecad2fd8a3ea326ee49f5dd8bda3696e0d1ae6e756db6d61d70bf3af4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777304196", "to_ids": true, "type": "ssdeep", "uuid": "bcb09d4d-5cfb-47a3-a6ec-7caf7ec13334", "value": "6144:KKEPwLsnY2dnVKGdGWS0alrwh5i1DkE23ozeEk5FGeRKT+dLWa5WJ/blWdV3:Kka5i1FyoaEb+Jjwi" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777304196", "to_ids": false, "type": "size-in-bytes", "uuid": "285f3267-19e6-448d-b636-727a8e4331fc", "value": "434176" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777304196", "to_ids": true, "type": "vhash", "uuid": "43c42fe9-5710-4fc4-b603-96e984433033", "value": "345036651519b0b15ff98ba234" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777304196", "to_ids": true, "type": "filename", "uuid": "24fef9ba-5279-4764-adb9-b3791e8af5af", "value": "Microsoft.Win32.TaskScheduler.dll" }, { "category": "Other", "comment": "Checked: 27/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777304196", "to_ids": false, "type": "text", "uuid": "87b431bc-c9ed-458b-a956-1aa01e44f3e5", "value": "Type Description: Win32 DLL\nMicrosoft: Backdoor:MSIL/Caminho.ARP!AMTB\nVT Total Detection:47/71\nFirst Submission:2025-12-19T08:30:41.000000+00:00\nLast Submission:2026-03-24T16:09:11.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544402", "uuid": "ea0f26ef-3b9b-41ee-a78f-e9701d04febc", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544401", "to_ids": true, "type": "md5", "uuid": "9786f735-8a14-4132-862d-32df5d605fca", "value": "872116260461fe63dd8664dbfbc7efa0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544401", "to_ids": true, "type": "sha1", "uuid": "1f80c5df-7d33-4edd-b9cc-c85d2919705b", "value": "eb4372d5a32fafa92ed57df3afdf0e08aadc199e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544402", "to_ids": true, "type": "sha256", "uuid": "d40a7c98-d061-434f-aaa5-e18030c5c0c3", "value": "3f777d7b5b44e6baa6bfac0a71788f3803a82b4ba917ebafe8bc5e10af9561a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777304217", "to_ids": true, "type": "ssdeep", "uuid": "06f395f3-753c-4b19-a6bf-c0637f04dfca", "value": "12288:Nms09lNFiZyqqbNijt3aKYfbLPxIYzUjceM0QIQw9Rl9MXL/FchKf0abW2MQFPC6:ws09lrJN3f3P6YgjQw9Rl9WqhirRJ1V" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777304217", "to_ids": false, "type": "size-in-bytes", "uuid": "0d1f757f-41f4-4b0f-9591-920bb1f3398c", "value": "771884" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777304217", "to_ids": true, "type": "filename", "uuid": "ecaa5f79-ab05-46d7-9f92-83622e12b4bc", "value": "ollo.png" }, { "category": "Other", "comment": "Checked: 27/04/2026\nLast-scan\t: 27/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777304217", "to_ids": false, "type": "text", "uuid": "5016cab3-2595-4a02-8af0-356fb2d6c1de", "value": "Type Description: JavaScript\nMicrosoft: None\nVT Total Detection:3/61\nFirst Submission:2026-01-14T07:44:19.000000+00:00\nLast Submission:2026-02-13T11:08:48.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544404", "uuid": "e771791b-11b9-4670-b595-f0a44c037f46", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544404", "to_ids": true, "type": "md5", "uuid": "7404cec0-4785-47fc-a004-a35060afb100", "value": "8d79722188d998327dd7edf9924bffe2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544404", "to_ids": true, "type": "sha1", "uuid": "ad83529e-bff0-45dd-be9f-e6098b3221d5", "value": "3a39ecc75dabed831ff5392d1638e2b76f08d262", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544404", "to_ids": true, "type": "sha256", "uuid": "571c5f0d-5957-409c-8d4e-acd5f9f513d3", "value": "41091483fd186543ec398dbf24fd9e8440ea17190b7ea386f7dd3876c43c995e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777304240", "to_ids": true, "type": "ssdeep", "uuid": "0d630d7e-de32-4bd2-84c0-e4bda0501b3d", "value": "6144:oQLkc48ywgWXPc9PkFLH9kSf2wjKAPAXDASufqBeVy2SiDVU0BKi9C2r6Eg90U6C:d4pWk2FL9kSf2wG+9SuioD7DV9B5M2O9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777304240", "to_ids": false, "type": "size-in-bytes", "uuid": "f911e37b-bffd-417f-b876-40eb75df76a8", "value": "378200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777304240", "to_ids": true, "type": "filename", "uuid": "7fb9bc45-a945-4f80-bb3a-d64ce6618045", "value": "Til.png" }, { "category": "Other", "comment": "Checked: 27/04/2026\nLast-scan\t: 27/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777304240", "to_ids": false, "type": "text", "uuid": "7a9510bb-c6b3-4ef5-bfcc-549e803d9de2", "value": "Type Description: JavaScript\nMicrosoft: None\nVT Total Detection:13/61\nFirst Submission:2026-02-20T11:24:12.000000+00:00\nLast Submission:2026-02-20T11:24:12.000000+00:00" } ] } ] } }