formbook | 8ae5bb65fe97959f7ff2f34fbf055a94a35fb0c9853448ddf8d20b25dc4e4889 | Triage

Submit
Reports

Overview

overview

Static

static

P-202110293029384.doc

windows7_x64

P-202110293029384.doc

windows10_x64

1

Sharing

General

Target

P-202110293029384.doc
Size

520KB
Sample

211029-vej1haadbk
MD5

5d70f853c62e03f61e0ad43f4a96db4c
SHA1

9d42c23efbe67ec377e77b694c6d2782ac9d24da
SHA256

8ae5bb65fe97959f7ff2f34fbf055a94a35fb0c9853448ddf8d20b25dc4e4889
SHA512

f42bf029c30375046178a681f90ed0b011c2ecd970f48ed39f1c9d0d3e993efdf2a0f15cd02f89097d7bc302d41259bfa67a772c35d60845f244a824909b57f4

Score

10^/10

formbook ob7y persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

P-202110293029384.doc

Resource

win7-en-20210920

formbook ob7y persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

P-202110293029384.doc

Resource

win10-en-20211014

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ob7y

C2

http://www.metanewsroom.net/ob7y/

Decoy

ipsdjf.com

mlphntec.com

restaurant-day.store

writeramylong.com

flokigamefi.com

usetianyi.xyz

punishstrikebreaker.quest

ericnfleming.com

dhhwtieen.xyz

milfhackers.com

fewefie.store

pithstsdiet.store

kirsten-hemmerich.com

casinolopoca.com

sigag.xyz

geilepoes.com

metawhatsapp.art

sarjin.xyz

toprabatte.net

lotofbrave.club

ladydunyasi.com

oeooaoio.xyz

ifarh.com

geovaluablehack.com

heatherwoodrealestate.com

788027.com

groweth2gloweth.com

corryandbee.com

chatech.community

defholdingsus.com

gymandsports213.sbs

safaknet.com

rnisk.store

yhsps.com

taxlawyeral.com

liberiathelandofreturn.net

beniclothingstore.com

onecashadvance.com

metawhatsapp.delivery

chseovx.xyz

fiftyix.com

ambassadorbed.com

doktorhelp.com

memoryck.com

ceto21.com

zomerubo.rest

tyoutrannyvidep.com

3cbzfhhx5.com

cryleo.com

thebigass.online

ofd-trade-sender.com

elchinazizov.com

shakilimam.com

soporhojecast.com

reyestacosrestaurant.com

supdeszka.com

kredit-option.com

sharonallenart.com

destockage-international.com

immediate-edge-pl.xyz

jmsjszc.com

mojuwangluo.com

tr4ders.com

zilingodigitize.com

Targets

- Target
  
  P-202110293029384.doc
- Size
  
  520KB
- MD5
  
  5d70f853c62e03f61e0ad43f4a96db4c
- SHA1
  
  9d42c23efbe67ec377e77b694c6d2782ac9d24da
- SHA256
  
  8ae5bb65fe97959f7ff2f34fbf055a94a35fb0c9853448ddf8d20b25dc4e4889
- SHA512
  
  f42bf029c30375046178a681f90ed0b011c2ecd970f48ed39f1c9d0d3e993efdf2a0f15cd02f89097d7bc302d41259bfa67a772c35d60845f244a824909b57f4
Score

10^/10

formbook ob7y persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookob7ypersistenceratspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy