formbook | 22c6cb28e8da3b71d9c3d14f2c1fb8f2b5905fd83a2b8b0b5e5089d336e93ba2 | Triage

Submit
Reports

Overview

overview

Static

static

5876985.rtf

windows7_x64

5876985.rtf

windows10-2004_x64

8

Sharing

General

Target

5876985.doc
Size

10KB
Sample

220131-r1eq5aaaa9
MD5

b69f10b44dfc89ed9f3c4cce4329e470
SHA1

0ddf069cd3b18aeb88cf246d4bd18be2af6e68f4
SHA256

22c6cb28e8da3b71d9c3d14f2c1fb8f2b5905fd83a2b8b0b5e5089d336e93ba2
SHA512

2601913dd64bb194334aabe4286029b2db588b45732c206cadbf5933e9a04be58db89f863167a46abaee59639ff720b35803b1b01a64e78b266bc9f0755eb719

Score

10^/10

formbook bt33 persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

5876985.rtf

Resource

win7-en-20211208

formbook bt33 rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

5876985.rtf

Resource

win10v2004-en-20220112

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bt33

Decoy

mbaonlinefreedegress.info

myforevermaid.com

daoyi365.com

weientm.com

legal-mx.com

formationrigging.com

heidiet.xyz

school-prosto.store

healthvitaminnutrition.com

digitalsolutionusa.com

little-bazar.com

jnbeautycanada.com

optoelek.com

learntoairmail.com

hawkminer.com

kingofearth.love

ktnstay.xyz

zouxin.love

mainlandpr.com

mamm-hummel.com

planosdwgcad.com

dlscordapp.info

northfacecore.online

professionalswhotrade.com

vbcgrp.com

spares245.com

alphasignsatl.online

342731.com

amazingarizonaproperty.com

priorlakecarpetcleaning.com

boardwalksnj.com

shiinebydesign.com

dymends.digital

indie-shopper.com

weihiw.quest

dchehe.com

momshousegeorgia.com

bnvxnohpcuhxbcueuvl.biz

tinyspout.com

hambransupply.com

keywordjord.com

koebnertriangle.com

aodiskoo.com

zgqyjlhw.com

thule-usa.store

western-overseas.online

woofpack-adventures.com

tilallarehome.com

51easyprint.com

arucad.university

llanoseeds.com

3-v0.space

harsors.com

sumiyoshiku-tenisuhiji.xyz

alsafqah.com

wrxworld.net

evrefill.com

multicoopltda.com

ziggytherealtor.com

candidatbellomansour.info

bigpromo.club

evagrombook.com

lyni7lyo.xyz

ways.express

karasevda-jor.com

Targets

- Target
  
  5876985.doc
- Size
  
  10KB
- MD5
  
  b69f10b44dfc89ed9f3c4cce4329e470
- SHA1
  
  0ddf069cd3b18aeb88cf246d4bd18be2af6e68f4
- SHA256
  
  22c6cb28e8da3b71d9c3d14f2c1fb8f2b5905fd83a2b8b0b5e5089d336e93ba2
- SHA512
  
  2601913dd64bb194334aabe4286029b2db588b45732c206cadbf5933e9a04be58db89f863167a46abaee59639ff720b35803b1b01a64e78b266bc9f0755eb719
Score

10^/10

formbook bt33 rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookbt33ratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy