formbook | 48d796a071618c584689b8f128a60b05411c1caf71cb98fb0cc813937978262b | Triage

Submit
Reports

Overview

overview

Static

static

Order No- ...1.docx

windows7-x64

Order No- ...1.docx

windows10-2004-x64

1

Sharing

General

Target

a484105defae733d7099ebd959a828d1
Size

27KB
Sample

220922-2bepyacdg9
MD5

a484105defae733d7099ebd959a828d1
SHA1

c0345a9bd3576aa90a02d3bc665ccaffd4f64f72
SHA256

48d796a071618c584689b8f128a60b05411c1caf71cb98fb0cc813937978262b
SHA512

43693229f6691e16b5769ca2f861b7e2b60894e9a40c220459b2bce335ef0f7a06ae260b739ad314f7edd1cbd9d07c0780b8e8006b24665bb338394602173a6f
SSDEEP

768:mQTPVCU6Ji2JJiH5ulryR4xDP162gzCh4BF1c:WoRCj1D4CCXc

Score

10^/10

formbook sde7 rat spyware stealer trojan websettings

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Order No- CW289170-A & CW201.docx

Resource

win7-20220812-en

formbook sde7 rat spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

Order No- CW289170-A & CW201.docx

Resource

win10v2004-20220901-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://1806450061/...----------------------.................-----------------------......-------/............390.doc

Extracted

Family

formbook

Version

4.1

Campaign

sde7

Decoy

lolfilmfestival.com

pousdaobosque.com

tangierfilm.com

valuedassist.com

qcrluxuryrentals.com

poc4cloudx.com

irizh.art

flowsever.com

serios-lifestyle.com

abc-diomain.com

bmwoemwarehouse.com

vivelamoda.com

thesycorax.online

goodjob129.com

hudyeanamaze.com

pabcp.com

millennialworkouts.com

gpcr-compound-library.com

rotyupin.xyz

hnkcsm.com

tgcsi.com

atfirstbank.com

kk-casemanagement.com

holiie.online

collier-secret-sept-cieux.com

evibnb.com

bestfortherest.icu

courier-order.info

hrcpetrol.com

impresaallitaliana.com

primaldirective.com

ezpromolink.com

stgilesjms.co.uk

bolometrics.com

pura-vida-apts.com

mumbaitowingservice.com

coloradomicrogreens.net

wallarts.space

yahtjd.com

digitalkreativeco.com

skopeintechnology.com

casalindatabletop.com

handmadebeauty.net

thc-olie-shop.store

xel-toys.com

youngqueen.club

maltepeescort.club

weylanstroic.xyz

kingdombuilders-group.com

strange-ratings.com

yuma-airbox.com

biuysjcims.icu

itsourworld.biz

seobet.online

decisionsandplanning.com

blanka.beauty

hsbanye.com

2elevenmezcal.co.uk

liveoutloud4u.com

ronlynngardens.com

resorttag.com

marcelldiahwedding.faith

ez-lyfe.net

celebrityauctions.net

paidpertv.biz

Targets

- Target
  
  Order No- CW289170-A & CW201.docx
- Size
  
  10KB
- MD5
  
  f4c5e11473a31d7fd0151e8e8683f21f
- SHA1
  
  a7fa06063b79ed4c06bae700037acc76b25a3910
- SHA256
  
  63fe91092f04f3f6aabadb33860c0816ac70ec80a335361096126a2d0246e501
- SHA512
  
  5fb8d76c3d0c08ce190e5bfe46c985ae010632be08263956e0c74c71c72e5af5280dc52b467a6b2b179eb6a6e094634004458b256d3d69ed8e5bd0a586487b07
- SSDEEP
  
  192:ScIMmtPf+CUG/bA3/w2OHrdlJFmQDZ7rhhap308Z:SPXumAOHjJFmIZfhMFJ
Score

10^/10

formbook sde7 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbooksde7ratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy