formbook | f168b37d321935ef09ef0dc2f12c85069c032da1116eb2736320f243c728c407 | Triage

Submit
Reports

Overview

overview

Static

static

8

b3516494_b...is.xls

windows7_x64

b3516494_b...is.xls

windows10_x64

Sharing

General

Target

b3516494_by_Libranalysis
Size

37KB
Sample

210430-b649tbve22
MD5

b3516494fe6955136ea6e6c6a6dfa6a6
SHA1

c982a59c2578f1892cef4767299b7b64527c75db
SHA256

f168b37d321935ef09ef0dc2f12c85069c032da1116eb2736320f243c728c407
SHA512

9dc052bfaa1485daa6510a65a8b484eb1a21348033ee84ea57b0fd6f8c71c713b198cefb010bbc06ccba5944bdb6ce7cf66496fccdc4ed34e7b3919770ad765d

Score

10^/10

formbook macro rat spyware stealer trojan xlm

Static task

static1

Behavioral task

behavioral1

Sample

b3516494_by_Libranalysis.xls

Resource

win7v20210408

formbook rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

b3516494_by_Libranalysis.xls

Resource

win10v20210410

formbook rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

savarsineklik.com

newfashiontrends.com

e-mobilitysolutions.com

spaced.ltd

amjadalitrading.com

thejstutor.com

zzhqp.com

exoticomistico.com

oklahomasundayschool.com

grwfrog.com

elementsfitnessamdwellbeing.com

auldontoyworld.com

cumhuriyetcidemokratparti.kim

thetruthinternational.com

adimadimingilizce.com

retreatwinds.com

duoteshop.com

jasonkokrak.com

latindancextreme.com

agavedeals.com

motz.xyz

kspecialaroma.com

yuejinjc.com

print12580.com

ampsports.tennis

affordablebathroomsarizona.com

casnop.com

driftwestcoastmarket.com

bjsjygg.com

gwpjamshedpur.com

reserveacalifornia.com

caobv.com

culturaenmistacones.com

back-upstore.com

jjsmiths.com

iamxc.com

siobhankrittiya.com

digitalakanksha.com

koatku.com

shamushalkowich.com

merplerps.com

fishexpertise.com

sweetheartmart.com

nqs.xyz

Targets

- Target
  
  b3516494_by_Libranalysis
- Size
  
  37KB
- MD5
  
  b3516494fe6955136ea6e6c6a6dfa6a6
- SHA1
  
  c982a59c2578f1892cef4767299b7b64527c75db
- SHA256
  
  f168b37d321935ef09ef0dc2f12c85069c032da1116eb2736320f243c728c407
- SHA512
  
  9dc052bfaa1485daa6510a65a8b484eb1a21348033ee84ea57b0fd6f8c71c713b198cefb010bbc06ccba5944bdb6ce7cf66496fccdc4ed34e7b3919770ad765d
Score

10^/10

formbook rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Formbook Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Use of msiexec (install) with remote resource
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookratspywarestealertrojan

behavioral2

formbookratspywarestealertrojan

© 2018-2024

Terms | Privacy