formbook | a63c1bffdc0098cc497b3e02c967ea3bf200dc71742a521564ddc3d4e0b4be41 | Triage

Submit
Reports

Overview

overview

Static

static

PO_6305977.xlsx

windows7_x64

PO_6305977.xlsx

windows10-2004_x64

1

Sharing

General

Target

d444933d181938739f4103751692eec9
Size

187KB
Sample

220606-zl735agaeq
MD5

d444933d181938739f4103751692eec9
SHA1

07936f8e30ce9404772465c32e43fe57cadadb04
SHA256

a63c1bffdc0098cc497b3e02c967ea3bf200dc71742a521564ddc3d4e0b4be41
SHA512

6fcf2eb4ae1d2641648b0c69842a4b24c6de0c4cd18a8ba5d452c171f9ce35022e04e114d1ef56a092d615ec96d20354fa66fccc4bc8ce244387aa13078ce11c

Score

10^/10

formbook g14s rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO_6305977.xlsx

Resource

win7-20220414-en

formbook g14s rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO_6305977.xlsx

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g14s

Decoy

highnessmagazine.com

mokeyshop.com

remotedesktop.xyz

bicielettrica.xyz

addoncarzspa.com

ironesteem.com

asset-management-int.com

newportnewsaccounting.com

seriesyonkis2.com

hhivac.com

shrmgattlnow.com

yangzhenyu1.xyz

prettylittlenail.com

phyform.com

fggloballlc.com

gamecentertx.com

apriltoken.com

agalign.com

jointventurecoop.club

pengqianyue.tech

federleicht-restaurant.com

lollipop987.xyz

diamondbaybridgesweeps2022.com

burnaboy.net

affectionatelycrypto.com

anakastore.com

tsrtouring.com

ziyunyx.xyz

cognivegan.com

bigkumara.com

goldtickets.online

archermotorsportslogistics.com

bestsecurityvendor.com

remedybox.net

maxcarat.com

topseng.online

kmatsumoto.net

xn--ankrbikes-27a.store

inginetimetracking.com

uvej.xyz

elementbigwear.xyz

rebootxx.com

shzaonuo.com

cvwconference.com

jnadtech.com

wanaizhijia.com

marie69.xyz

onlyappsauthenpoint.online

darkfo.rest

lfzhitu.com

lesdelices2paris.com

rustygarages.com

idontcarewhatyouthink.net

qcg2.com

kreeplyfe.net

teethguardforme.com

teethguardforme.com

gentor.online

big79.pro

peifang8.com

homehs.net

whalsaycafe.com

remisemaroc.com

viqub.com

swiftsrecovery.com

Targets

- Target
  
  PO_6305977.xlsx
- Size
  
  136KB
- MD5
  
  bf43d6ef39e3ec80000aa17b5e1fa8ee
- SHA1
  
  a42be18ff81fefbb550d3789770aabd7f7b0a4b2
- SHA256
  
  a4c426f7bd1ff3a4292b8ee1e315d58f23a149901b1b245a0c774fa981d67afd
- SHA512
  
  ad3977db3960acaf5f21185ea303831b90f6dba497d762079bda5db598db021453e354d521d35e8b6102812a50e3ed8d0ee649a4d45fc53005568c884c85b495
Score

10^/10

formbook g14s rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
  suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Formbook Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookg14sratspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy