formbook | 32cfaa88c450f72627f502fa72b50b21c3ae2d0199eebbd9f3f750945521678a | Triage

Submit
Reports

Overview

overview

Static

static

SALAMATH EXPORTS.docx

windows7_x64

SALAMATH EXPORTS.docx

windows10_x64

1

Sharing

General

Target

SALAMATH EXPORTS.docx
Size

10KB
Sample

210914-t6dgcsbabp
MD5

12f193f5a91b18567a1dc4c652a9b9f4
SHA1

9c030151be689de05d2391114f437d748b13c8d8
SHA256

32cfaa88c450f72627f502fa72b50b21c3ae2d0199eebbd9f3f750945521678a
SHA512

ab3d112138c3e5e8b303a58ed35df967acdedd4f1e6c9efb419395c6ba6f0224f6ef2f5a429ebdf5842e59df9dcbf83f79f5ad5dd345a88e56efdc1cecb78112

Score

10^/10

formbook m8g0 rat spyware stealer suricata trojan websettings

Static task

static1

Behavioral task

behavioral1

Sample

SALAMATH EXPORTS.docx

Resource

win7v20210408

formbook m8g0 rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SALAMATH EXPORTS.docx

Resource

win10-en

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://cml.lol/tj7g80

Extracted

Family

formbook

Version

4.1

Campaign

m8g0

C2

http://www.corbvalperu.com/m8g0/

Decoy

exclusivecan.com

junzhesuji.com

acces-credit-mutuel.com

iknitvintage.com

solonmodelun.com

debekia.com

peanutskitchen.com

kamanantzin.com

personalmodeststyle.com

qo49.com

googman.site

maisonshahnaz.com

annaalexandrovich.com

californiacashcars.com

ncafashionboutique.com

nsu0.com

cloudfirstlender.com

allforchildren.net

vn80000.com

restroon.com

rpm555.com

yasminaaa.com

e-shopee.com

flasnlute.online

fact-about.com

laurielobdell.com

bokzer.com

digitalmarketex.com

gemmakamps.com

cbdely.com

originem.cat

sherifalleghenycounty.com

mymenageire.com

jtzaatbya.icu

akuluarabavar.com

thepartygod.com

rpf.xyz

adejareadebimpefoundation.com

meingutschein.gratis

bahisbeta131.com

xn--proteindnyam-klb.com

marketauto.uk

xn--mgbai9a7dqf7be.com

milk-espresso-bar.com

lincolnsquareseniorliving.com

tranvachthachcao2020.com

sreezna.com

sudaniamericancollective.com

iresistable.com

healthyhabitsdiary.com

tianenconsulting.com

glassicsrentals.com

maviba.net

wheelersmill.info

schnellptc.com

touch2give.com

dadandan-blog.com

sheltaco.com

ramonnunezm.com

franchisesquareliquidations.com

hotelesmotril.com

tuxedojunctionbook.com

thedognanniesct.com

mettelonhart.com

Targets

- Target
  
  SALAMATH EXPORTS.docx
- Size
  
  10KB
- MD5
  
  12f193f5a91b18567a1dc4c652a9b9f4
- SHA1
  
  9c030151be689de05d2391114f437d748b13c8d8
- SHA256
  
  32cfaa88c450f72627f502fa72b50b21c3ae2d0199eebbd9f3f750945521678a
- SHA512
  
  ab3d112138c3e5e8b303a58ed35df967acdedd4f1e6c9efb419395c6ba6f0224f6ef2f5a429ebdf5842e59df9dcbf83f79f5ad5dd345a88e56efdc1cecb78112
Score

10^/10

formbook m8g0 rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata
- suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
  suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
  suricata
- Formbook Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Command-Line Interface

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookm8g0ratspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy