formbook | e9d99b13aacd39de4a6d28fec7c97bfde4127b9746d2e1ae1fcda4f65a375309 | Triage

Submit
Reports

Overview

overview

Static

static

new order.docx

windows7_x64

new order.docx

windows10_x64

1

Sharing

General

Target

new order.docx
Size

10KB
Sample

211122-n87kbsfddk
MD5

817c9dd09f7e556d0ef6ff8fb68d89de
SHA1

990f6d8a8c6662fe87da9414d2b4a80e693ac9c1
SHA256

e9d99b13aacd39de4a6d28fec7c97bfde4127b9746d2e1ae1fcda4f65a375309
SHA512

6fbeebcd523e1d51f059832b0946b2f03d0da8bf14bdc91554f047c98056efcb40440ba87369841b618e57d41a40d37699fbcd6358479021c72ac615d08ceed4

Score

10^/10

formbook 9gr5 rat spyware stealer suricata trojan websettings

Static task

static1

Behavioral task

behavioral1

Sample

new order.docx

Resource

win7-en-20211104

formbook 9gr5 rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

new order.docx

Resource

win10-en-20211014

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

https://bitestan.com/c4fxhPYO

Extracted

Family

formbook

Version

4.1

Campaign

9gr5

C2

http://www.cuteprofessionalscrubs.com/9gr5/

Decoy

newleafcosmetix.com

richermanscastle.com

ru-remonton.com

2diandongche.com

federaldados.design

jeffreycookweb.com

facecs.online

xmeclarn.xyz

olgasmith.xyz

sneakersonlinesale.com

playboyshiba.com

angelamiglioli.com

diitaldefynd.com

whenevergames.com

mtheartcustom.com

vitalactivesupply.com

twistblogr.com

xn--i8s140at3d6u7c.tel

baudelaireelhakim.com

real-estate-miami-searcher.site

131122.xyz

meta-medial.com

carvanaworkers.com

mimamincloor.com

aglutinarteshop.com

portal-arch.com

mandeide.com

golfteesy.com

carteretcancer.center

cuansamping.com

jhhnet.com

oetthalr.xyz

toesonly.com

ctbizmag.com

searchonzippy.com

plantedapts.com

matoneg.online

takened.xyz

meta4.life

africanizedfund.com

jukeboxjason.com

folez.online

troddu.com

802135.com

guiamat.net

gladiasol.com

meditationandyogacentre.com

metaverserealestateagent.com

boogyverse.net

melissa-mochafest.com

cozsweeps.com

pickles-child.com

metaversemediaschool.com

ahfyfz.com

ses-coating.com

pozada.biz

loldollmagic.com

mountfrenchlodge.net

25680125.xyz

inusuklearning.com

dnteagcud.xyz

yupan.site

acloud123.xyz

asadosdonchorizo.com

Targets

- Target
  
  new order.docx
- Size
  
  10KB
- MD5
  
  817c9dd09f7e556d0ef6ff8fb68d89de
- SHA1
  
  990f6d8a8c6662fe87da9414d2b4a80e693ac9c1
- SHA256
  
  e9d99b13aacd39de4a6d28fec7c97bfde4127b9746d2e1ae1fcda4f65a375309
- SHA512
  
  6fbeebcd523e1d51f059832b0946b2f03d0da8bf14bdc91554f047c98056efcb40440ba87369841b618e57d41a40d37699fbcd6358479021c72ac615d08ceed4
Score

10^/10

formbook 9gr5 rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE WBK Download from dotted-quad Host
  suricata: ET MALWARE WBK Download from dotted-quad Host
  suricata
- Formbook Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbook9gr5ratspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy