formbook | 154e8841faee60e1f21fca5eb5b8db213d12e0a4ff89cb411326a30348c5807d | Triage

Submit
Reports

Overview

overview

Static

static

7e92e7af29...4.xlsx

windows7_x64

7e92e7af29...4.xlsx

windows10_x64

1

Sharing

General

Target

7e92e7af29e8cb16c927d7d0fa0255b69a44ce44.xlsx
Size

343KB
Sample

211018-m57kgsedar
MD5

9bcd3b345d6eff5fbf800c35330a0bde
SHA1

7e92e7af29e8cb16c927d7d0fa0255b69a44ce44
SHA256

154e8841faee60e1f21fca5eb5b8db213d12e0a4ff89cb411326a30348c5807d
SHA512

defd4feb460063a6ffae0f5d98ded97e5ba5b15d2244c43113b55396ec34621bf82e2013ee666e1b4d53c578431bfd9848a7540e7c3ac3cf2f1a45b2cdc6de14

Score

10^/10

formbook s6tn rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

7e92e7af29e8cb16c927d7d0fa0255b69a44ce44.xlsx

Resource

win7-en-20210920

formbook s6tn rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

7e92e7af29e8cb16c927d7d0fa0255b69a44ce44.xlsx

Resource

win10-en-20211014

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s6tn

C2

http://www.majordomus-gliwice.com/s6tn/

Decoy

ya-volna.com

nakimura.online

buildtheyamato.com

carecard.xyz

orthozayn.com

sitd.xyz

garu.club

alfainfocom.com

floridalacrossecamps.com

banytus.xyz

dogodipiskot.quest

ljlsaf.com

shaheenricemills.com

cuevieujni.info

chrisandkcollection.com

sunadokei.website

hoidotsbirky.quest

creditassociatesllc.com

amazonhrjobs.com

the-luggage-dropp-off.com

kwwmarket.com

twdesignacreation.com

siaralntl.com

iacompetitionsasia.com

seeker-l.xyz

bytesandvotes.com

newbotong.com

dbelnlogoro.quest

isleptwell.com

effektivpeople.com

rosariopabst.com

holdvfind.store

fishhunter99.com

11km.net

cryptobloombergs.com

suppershop.store

lu2h4vasat.com

siberiancrystal.com

laxmanblog.com

ret-services.com

epm-brandsshop.com

rainbowlampro.com

mastermart.net

pintseeker.com

kioskpass.com

mpu-spezialist.com

debthlp.com

westafricaschools.com

guojiannoodlemachine.com

readingroomtnpasumo5.xyz

liferooz.com

farmavidacanarias.com

voconunve.xyz

sekshikayelerimiz.info

paybro.online

condensus.com

zaratwo2.com

zcfxwl.com

sephorapets.com

arabatalmustahlik.com

poojas.xyz

verbenalifestyle.com

gabinettomedico.com

khazis.com

Targets

- Target
  
  7e92e7af29e8cb16c927d7d0fa0255b69a44ce44.xlsx
- Size
  
  343KB
- MD5
  
  9bcd3b345d6eff5fbf800c35330a0bde
- SHA1
  
  7e92e7af29e8cb16c927d7d0fa0255b69a44ce44
- SHA256
  
  154e8841faee60e1f21fca5eb5b8db213d12e0a4ff89cb411326a30348c5807d
- SHA512
  
  defd4feb460063a6ffae0f5d98ded97e5ba5b15d2244c43113b55396ec34621bf82e2013ee666e1b4d53c578431bfd9848a7540e7c3ac3cf2f1a45b2cdc6de14
Score

10^/10

formbook s6tn rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Formbook Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbooks6tnratspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy