formbook | e76b1a4f9aa3787900758ce81367f40587ca3d6a3a7ab6d1d02537e12cb10c37 | Triage

Submit
Reports

Overview

overview

Static

static

file673736...22.vbs

windows7_x64

file673736...22.vbs

windows10-2004_x64

Sharing

General

Target

file673736 241-22 01.02.22.vbs
Size

165KB
Sample

220209-sck4nsafe9
MD5

7faf86b2e1bb45a26367227c777dc668
SHA1

74e41c42eb5b04c532567d9244c969f4895ee3ca
SHA256

e76b1a4f9aa3787900758ce81367f40587ca3d6a3a7ab6d1d02537e12cb10c37
SHA512

c9427897cb391da11ee8325cd0ffd8efc7b94b2c46503a1cc4a71bd8497fcdfa42efccba7613b1119329d26b510486fe1c05290726ce06c53b60b1c76ded6427

Score

10^/10

formbook guloader k6sm downloader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

file673736 241-22 01.02.22.vbs

Resource

win7-en-20211208

formbook guloader k6sm downloader persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

file673736 241-22 01.02.22.vbs

Resource

win10v2004-en-20220113

formbook guloader k6sm downloader persistence rat spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k6sm

Decoy

mingshengjewelry.com

ontimecleaningenterprise.com

alyssa0.xyz

ptecex.xyz

dukfot.online

pvcpc.com

iowalawtechnology.com

nestletranspotation.com

mysithomes.com

greenlakespaseattle.com

evofishingsystems.com

unilytcs.com

ordemt.com

dentalbatonrouge.com

pictureme360.net

chalinaslacatalana.com

newmirrorimage.xyz

pinklaceandlemonade.com

rapinantes.com

yzicpa.com

josephosman.com

robsarra.com

shumgroup.net

flooringnewhampshire.com

onceadayman.com

audiomacklaunch.xyz

hurryburry.com

golfvid.info

tutortenbobemail.com

tatlitelasorganizasyon.com

tqgtdd.space

classicalruns.com

xx3tgnf.xyz

galwayartanddesign.com

qidu.press

crypto-obmennik.com

dn360rn001.com

tridim.tech

phamhome.com

mediadollskill.com

loveatmetaverse.com

electric4x4parts.com

azulymargarita.com

isadoramel.com

rubyclean.com

officiallydanellewright.com

wu8d349s67op.xyz

detetivepyther.com

wondubniumgy463.xyz

registry-finance3.com

ultracoding.com

open-4business.com

supremelt.online

pangfeng.xyz

morneview.com

northfloridapsychic.com

kg4bppuh.xyz

friv.asia

epsilonhomecare.com

hbina.com

beachhutprinting.com

sophoscloudoptix.net

managemarksol.site

palestyna24.info

usyeslogistics.com

Targets

- Target
  
  file673736 241-22 01.02.22.vbs
- Size
  
  165KB
- MD5
  
  7faf86b2e1bb45a26367227c777dc668
- SHA1
  
  74e41c42eb5b04c532567d9244c969f4895ee3ca
- SHA256
  
  e76b1a4f9aa3787900758ce81367f40587ca3d6a3a7ab6d1d02537e12cb10c37
- SHA512
  
  c9427897cb391da11ee8325cd0ffd8efc7b94b2c46503a1cc4a71bd8497fcdfa42efccba7613b1119329d26b510486fe1c05290726ce06c53b60b1c76ded6427
Score

10^/10

formbook guloader k6sm downloader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookguloaderk6smdownloaderpersistenceratspywarestealertrojan

behavioral2

formbookguloaderk6smdownloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy