formbook | 5e12314df61fd39cad151a41fb0d3188e437c591fa7498f09f103dea4a46f141 | Triage

Submit
Reports

Overview

overview

Static

static

MTIR220243...05.vbs

windows7_x64

MTIR220243...05.vbs

windows10_x64

Sharing

General

Target

MTIR22024323_0553381487_20220112120005.vbs
Size

77KB
Sample

220113-qrty1saea9
MD5

564601676bee71f5f61a44ef170d92a6
SHA1

76fca984dab2358e66524172e04a3528f33d8e18
SHA256

5e12314df61fd39cad151a41fb0d3188e437c591fa7498f09f103dea4a46f141
SHA512

a9b778cd8bb8684c9f7f7e0b9d79d17c2b0fab326fbfd59f818c7aaa403bf3fc67cf9944b2149b17e742feff9217c2a2ed3f18e15a8be82dbd4b709f5b86fe1d

Score

10^/10

formbook guloader modiloader wk3t downloader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

MTIR22024323_0553381487_20220112120005.vbs

Resource

win7-en-20211208

formbook guloader modiloader wk3t downloader persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

MTIR22024323_0553381487_20220112120005.vbs

Resource

win10-en-20211208

formbook guloader modiloader wk3t downloader persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wk3t

Decoy

cherrykidzclub.com

n104w16417dongesbayrd.info

pronetheus.com

tukarbelanjadapatemas.com

commlike.info

securityhackersteam.com

rainbowhitch.com

nursesgrowhealth.com

discontinuanceanywhere.com

comprehensivetitle.site

astrostorytell.store

bighorncountymtjail.com

tetoda.xyz

derivedflame.online

staging-api-projectstanley.com

mcxca.com

thebluefellowsnft.com

arizonakissesco.com

prototypephase.com

aprillemack.com

mrrviaa0.com

reloindiana.com

osscurrency.com

orderlaespigabakery.com

leohillmodeling.com

ybferro.com

laorganicwarehouse.com

coastalrey.com

gavno.online

ienqqv.xyz

ttautoglass.com

jeffreywlewiscarpentry.com

aromav60.online

d4vlkjrx.xyz

agooddomain.com

pse516.info

trustexpressfreight.com

tropiksuncc.com

greenrailfinancialgroup.com

caoyuzhou.tech

calibergaragedoorrepairsinc.com

medxcuz.online

vqjktrqkgikswr.top

danaesoftware.com

onlinemagazineshop.online

exxxclusivenft.com

whatweather.today

smbyee.com

bjitwb.com

mellowsgummies.com

romeovillepowerwashing.com

cheapest-swimmingpool.com

bagspabandung.com

conservational.one

watertalk-kickstarter.com

japanesefood-osaka.com

aml-corp.com

insurancemetafi.com

bjxsjkj.com

teerspmr.com

fmkj888.group

lawoe.net

promotourpackages.com

danielsden.store

jewelrystore1.com

Targets

- Target
  
  MTIR22024323_0553381487_20220112120005.vbs
- Size
  
  77KB
- MD5
  
  564601676bee71f5f61a44ef170d92a6
- SHA1
  
  76fca984dab2358e66524172e04a3528f33d8e18
- SHA256
  
  5e12314df61fd39cad151a41fb0d3188e437c591fa7498f09f103dea4a46f141
- SHA512
  
  a9b778cd8bb8684c9f7f7e0b9d79d17c2b0fab326fbfd59f818c7aaa403bf3fc67cf9944b2149b17e742feff9217c2a2ed3f18e15a8be82dbd4b709f5b86fe1d
Score

10^/10

formbook guloader modiloader wk3t downloader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookguloadermodiloaderwk3tdownloaderpersistenceratspywarestealertrojan

behavioral2

formbookguloadermodiloaderwk3tdownloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy