formbook | 5274c7fea16b84e327d5af683b6ef0c3e1fe1649b6cea88399e029ed5deeee6f | Triage

Submit
Reports

Overview

overview

Static

static

Quote 2405987021.docx

windows7_x64

Quote 2405987021.docx

windows10_x64

Sharing

General

Target

Quote 2405987021.docx
Size

10KB
Sample

210525-2w4tsymesn
MD5

992acd038fd49f200bd5510c029e74b1
SHA1

f1a0abb5f96c21f8a799e4f65c4216bd968c29b7
SHA256

5274c7fea16b84e327d5af683b6ef0c3e1fe1649b6cea88399e029ed5deeee6f
SHA512

e08e069138e70fc13ce97ccd1f5b99c763d5b23f90773f8248a4ca5b6e3dc3e71ef277f1dd365c71e58b960b221f0ff5479694baf10a66ca6079431ff84eef10

Score

10^/10

formbook rat spyware stealer trojan websettings

Static task

static1

Behavioral task

behavioral1

Sample

Quote 2405987021.docx

Resource

win7v20210410

formbook rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Quote 2405987021.docx

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://198.46.132.185/..-.-.-......................................................-...-/..................................................wbk

Extracted

Family

formbook

Version

4.1

C2

http://www.mpaiji.com/c244/

Decoy

ssgasija.com

procyoon.com

mood-street-food.com

yeglifeview.com

baoyai.com

sundarsheni.com

notoli.photography

sweetape.com

ergas.group

asyrill.com

jin188v.com

stlazarushospitalnola.com

dohertyfamily5.com

duniaclubs.club

ngobryles.com

scottsavocasalon.com

unifiui.com

baileyfred.com

nabiagency.com

alyssaternanphotography.com

whitehome-re.com

nitaraine.com

rklogtransportes.com

closetcouturenc.com

day.gallery

suxfi.com

mittikasaman.com

livesupgrade.com

hasbiadam.com

masdelafont-mauguio.com

topadofa.com

humanimmunogenomics.com

exit-blog.com

andersonsignandbannerco.com

ellasween.com

jmycjj.com

dhshk.com

peaceful-dolphin.com

flossydesigns.com

mrevivalkids.com

paintmehappywithcassandra.com

daishuaku.com

c2spot.com

odiaproduct.com

skillfultopshop.com

mentorbp.com

annualchecklist.com

jasaborongan.com

fasttrainheal.com

flatfootedhatting.com

brionreilly.com

ogcaterers.info

uuhlashwe.club

subsidy-kennwort.info

logisticmoversusa.com

houseofkabbalah.com

ahealingjournee.com

diemtinthitruong.com

naturallybossed.com

turksandcaicosdirect.com

hudsonvalleyfinearts.net

brocousa.com

getyourcostsdown.com

liveitupmusic.com

Targets

- Target
  
  Quote 2405987021.docx
- Size
  
  10KB
- MD5
  
  992acd038fd49f200bd5510c029e74b1
- SHA1
  
  f1a0abb5f96c21f8a799e4f65c4216bd968c29b7
- SHA256
  
  5274c7fea16b84e327d5af683b6ef0c3e1fe1649b6cea88399e029ed5deeee6f
- SHA512
  
  e08e069138e70fc13ce97ccd1f5b99c763d5b23f90773f8248a4ca5b6e3dc3e71ef277f1dd365c71e58b960b221f0ff5479694baf10a66ca6079431ff84eef10
Score

10^/10

formbook rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Formbook Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy