formbook | 53f1625cb7085fb0659fbf76e8f60d3a9233d8c1bd074daf0a725c149d036f20 | Triage

Submit
Reports

Overview

overview

Static

static

Oferty CZ1...6U.xls

windows7-x64

Oferty CZ1...6U.xls

windows10-2004-x64

1

Sharing

General

Target

Oferty CZ1083377236U.xls
Size

848KB
Sample

221118-2lj3eabc92
MD5

af617f50e862c8e33e60f89e0af666b2
SHA1

50774a2bb661085ecd9df7e2c8fff87391998bc4
SHA256

53f1625cb7085fb0659fbf76e8f60d3a9233d8c1bd074daf0a725c149d036f20
SHA512

8e80a34f4bf6fe0d7dff3b7dc098f3aa64a290887eb50c909f7f92f40f957af234e4976010c49449f64b14d09dc0f4268fbd247bda9f3233d4fcb7bcaa7cbcb5
SSDEEP

24576:Hr5XXXXXXXXXXXXUXXXXXXXrXXXXXXXXYzmDr5XXXXXXXXXXXXUXXXXXXXrXXXXL:fQBNe

Score

10^/10

formbook f4ca rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Oferty CZ1083377236U.xls

Resource

win7-20221111-en

formbook f4ca rat spyware stealer trojan

windows7-x64

23 signatures

150 seconds

Behavioral task

behavioral2

Sample

Oferty CZ1083377236U.xls

Resource

win10v2004-20220812-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

CMlcaOUF6cB+8Bnm2Kc=

NpYV3moXNE+ZQ4f9nVGCSA==

/GRkjGd1acLHyeLvImbCcgVd

R52MlF+Ag+LtFr1QKa7Zf/5a

kVD/mSO1YK75pA==

5q3IANfo/JHiDww2ffu6

4i8RFOH2ACRdhzja

VLWOSRe00XX6sNsijPzqiiWfFgf1J+g=

qnsgRFL46lWG

xo1QHOyKS9rj4fjvFs+n

mIHZlAqzS6ymmpMCU1uyZgE=

WCtjiGCFl/4JTiJ0R60=

c0vpAtZ3fY7TeLfdcnASQg==

Y87Xlic9/1+q3g/pUArVoB4=

kKOsRsf05wBOd67a

dDmgYgOZZ0aCMVwgDha4bgc=

ieXCbvcCyja+otcfpw==

Fd0XQwkTHHaBmNDvImbCcgVd

PK/M6eM8xOwqvw==

Pf0q8MdfICMvvQ==

EO8aPQwf7z2Du+XvImbCcgVd

BeUisSg/Ql6uJcg=

ay2v2pz4gomTESLosQ==

AGjX3ak2B+FyQ9ZKrQ==

Du0y0UXomyoxT4/arA8Du3FvpwE=

xhV7OrDTdonq4fjvFs+n

9+s2xTlaW66p2IAAnVkDQA==

AuS2UeN4Nsvl5vo8J67Zf/5a

B1vK2590RiUuuw==

/709BIUfMCIln8sus2u2aAM=

BMpYckjp699wVZfS

Pf2AqIscEhlpHlnV18IvVQk=

RKUTxUbz/zFroN/LLq+kIdZM

IuuiQ9pj7ZzciLVPiks4Rxc=

0KBn8XAV7NNm2xPxuA==

nv7yBtDj4UNE/ju8er1EZSanBXfyLv4=

sBgf41X1vKTwUspTsg==

5bk4+oQWD+X01tBEqQ==

c08KjxWnau8DDSsESMKNI+P5G/6/sYjU6g==

RJiyeEVj/N3rhNAW3qU=

v6O7hhQxA//+Oyq2ms9DWQ==

7MdHCYCb4OT5pg==

Je0NLgIfKIeFuyjxYD+i

68P+tIkhBdlwVZfS

inthecryptolane.com

Targets

- Target
  
  Oferty CZ1083377236U.xls
- Size
  
  848KB
- MD5
  
  af617f50e862c8e33e60f89e0af666b2
- SHA1
  
  50774a2bb661085ecd9df7e2c8fff87391998bc4
- SHA256
  
  53f1625cb7085fb0659fbf76e8f60d3a9233d8c1bd074daf0a725c149d036f20
- SHA512
  
  8e80a34f4bf6fe0d7dff3b7dc098f3aa64a290887eb50c909f7f92f40f957af234e4976010c49449f64b14d09dc0f4268fbd247bda9f3233d4fcb7bcaa7cbcb5
- SSDEEP
  
  24576:Hr5XXXXXXXXXXXXUXXXXXXXrXXXXXXXXYzmDr5XXXXXXXXXXXXUXXXXXXXrXXXXL:fQBNe
Score

10^/10

formbook f4ca rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookf4caratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy