formbook | ee1b53c87bcbf6604980ab928baaf8e8c70cb26fb341d49f05addd70fed92627 | Triage

Submit
Reports

Overview

overview

Static

static

OA74612.xls

windows7-x64

OA74612.xls

windows10-2004-x64

1

Sharing

General

Target

OA74612.xls
Size

511KB
Sample

221115-njb25adf43
MD5

cc083b13b3459bd2f581f4afcaef5051
SHA1

23abd922b107ac72fbe337afcd85a089eb669c27
SHA256

ee1b53c87bcbf6604980ab928baaf8e8c70cb26fb341d49f05addd70fed92627
SHA512

f85aee0d80ff76f39cba62f47a2e462d4e0256ab983b530c1af22561edb257dbce9fcf3f5f1f74ab1c37be66f3defe215971c032cb976c209ec03b308f1c8460
SSDEEP

12288:fdNqrDx7XXXXXXXXXXXXUXXXXXXXrXXXXXXXXEmY2TmWTmjnK4D+DX/xao7ZmwW0:Cr5XXXXXXXXXXXXUXXXXXXXrXXXXXXXF

Score

10^/10

formbook g2dc rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

OA74612.xls

Resource

win7-20220812-en

formbook g2dc rat spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

OA74612.xls

Resource

win10v2004-20221111-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

g2dc

Decoy

OqIwFVmXHnPUgdurr7I=

0YwewYtWNLZdkF7Q

HFT6VwOYdkifOpbT1h9DcYQ=

D+zGTvGlpriTumzBbw==

gMSID89/QqMV8yjH

HN5/g0/3yJBsnZCig9Qf

Hl33xdRU8xaC1rY=

/rhq03DorPAUH2bSp6228fGQ

gBwzCyfHge9SumzBbw==

NuOmK9+fenLQa9urr7I=

cA4+yKM4IQjpFwMt1BQEUJ1q6y0=

gpK3pqdoVNu93yS0uhocUtQmtQ==

3i3tx82Rf7yQdIyeprA=

FTo+4qVlVK7gIgxi0g3bUA==

7kDtq4wo6+cV8yjH

Dc123pIo9vcNuR9pwkQ0pPpHvQ==

KYREtH0zKNiI374=

Tok2qF4n2XOiRw==

DYFtA6ZXUJfA3MLhRtTVTQ==

C8poIeeskBCxEYHIbQ==

SphQtzv393fpQTmDIBvxFxyuxIK4BJWOUA==

AB4x79KRi4GW5kKig9Qf

IVcHfD3hpGSLl9+IRtTVTQ==

PzAWlDfYi/FTumzBbw==

c8KfRhi+nW2XvNurr7I=

UsixbWn3uiCIyfadTEkZUtQmtQ==

g4pzHPfEqsDb8rw=

r0hgJQncv5PCYr9RvAvxdJM=

yFlw1kAR9tY=

SVpSBeSERrimumzBbw==

uppZPE0xxRFA2yhWqvDARw==

zRjhy+RmLa2WDW7Sp6228fGQ

liYa0MmYn+0fseEDsP5EgcEftw==

MH4a78axhU2Gydurr7I=

2UQv2aEq56DO6iHF

CFomvat2Vcmz09urr7I=

q2kjkxkeyEk/k++FRtTVTQ==

BG5M2sVYFP1V7UOig9Qf

+ibWP/CKeEBw/kaig9Qf

+UsepVwfAGme8WWvyx9DcYQ=

zHJ/UmYN3lGOrY+sNUUaUtQmtQ==

A9rJR+iHRJ8V8yjH

f1c45sZoONiI374=

TaiXlThWwWrIWg==

Gno6rEkmp43vR3d+pas=

YBKzbS8Bi+0Zo/+psqY=

fygs4+dfFHRSbaE+dLAcexvc6t1n

QvyqxGh3/kh3mYnP

ZPYN3O+UTaMV8yjH

hItu96hZQKPkgrjbRtTVTQ==

gYpp/ZKAQpnIWQ==

ryD0gz7Ih29Zh2y3YGI8u/hFFEWMlw==

o1Twr45FQSldcrwZvP8OUtQmtQ==

4QL6n3gqFwRwAkaig9Qf

kN++Zyvv6yJ6ydurr7I=

SdK4Rv6Qb8w4euccuaU=

ve5+E9JwSEMjOWfxfILEq9CY

P6aMLe6ofmKIoO0U2SmtHYI=

8+bJXD3UknPOa9urr7I=

QPyWSRCfXL+mumzBbw==

8ejIbB/mp6G66Ankdw==

n96ZDb2Ab8j2gtYe4x9DcYQ=

XmRT2XUg/1w+Wn1hdH3FMIw=

LN6J745INyFTPR9kCRUX

yogaguerilla.com

Targets

- Target
  
  OA74612.xls
- Size
  
  511KB
- MD5
  
  cc083b13b3459bd2f581f4afcaef5051
- SHA1
  
  23abd922b107ac72fbe337afcd85a089eb669c27
- SHA256
  
  ee1b53c87bcbf6604980ab928baaf8e8c70cb26fb341d49f05addd70fed92627
- SHA512
  
  f85aee0d80ff76f39cba62f47a2e462d4e0256ab983b530c1af22561edb257dbce9fcf3f5f1f74ab1c37be66f3defe215971c032cb976c209ec03b308f1c8460
- SSDEEP
  
  12288:fdNqrDx7XXXXXXXXXXXXUXXXXXXXrXXXXXXXXEmY2TmWTmjnK4D+DX/xao7ZmwW0:Cr5XXXXXXXXXXXXUXXXXXXXrXXXXXXXF
Score

10^/10

formbook g2dc rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookg2dcratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy