formbook | 0b97d2123754dc9e52e88001fc59c0343b37965172255bcc4b1d592c0df69309 | Triage

Submit
Reports

Overview

overview

Static

static

SecuriteIn...83.xls

windows7-x64

SecuriteIn...83.xls

windows10-2004-x64

1

Sharing

General

Target

SecuriteInfo.com.Exploit.MathType-Obfs.Gen.25508.5883.xlsx
Size

250KB
Sample

221202-f52wnsge78
MD5

ba0a934b6dd5af65ca9a82782d44e843
SHA1

5957a4921c66e0bfae31d096e2a86a9c73feb5b0
SHA256

0b97d2123754dc9e52e88001fc59c0343b37965172255bcc4b1d592c0df69309
SHA512

989872eecb46877b649e6a4b17c79a6a4feb27b140aad43ff4d9215c364a2f94ec40fba3b25e34b68b7334adb76805daf434ec6eb6c99ff44bc7928f87162005
SSDEEP

6144:yDZ+RwPONXoRjDhIcp0fDlavx+W26nARy0f/8v:y+/q

Score

10^/10

formbook pr28 rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

SecuriteInfo.com.Exploit.MathType-Obfs.Gen.25508.5883.xls

Resource

win7-20220812-en

formbook pr28 rat spyware stealer trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

SecuriteInfo.com.Exploit.MathType-Obfs.Gen.25508.5883.xls

Resource

win10v2004-20221111-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pr28

Decoy

huaxinimg.com

baorungas.com

comercializadoramultimus.com

blr-batipro.com

wantagedfas.uk

1thingplan.one

cweilin.com

lorienconsultingllc.com

jdzsjwx.com

casafacil.site

hkacgt.com

hasid.africa

92dgr97k4hr9.com

cvbiop.xyz

1wbskm.top

fantasticmobility.com

goodchoice2022.com

hafizpower.com

familiajoya.com

fundscrahelp.info

654-jp.com

locksmithexpressny.com

daniellelaurenhealth.com

65062.site

globallogisticsairline.com

livingdisabilitybenfits.com

cyprusposte.com

gladyshelps.click

letv.one

59963y.com

cre8tstudio.com

expandintofreedom.com

czechpeniche.com

windkind.net

cash4.cash

h9qblfpaog.one

growhthair.com

dmukpropertysolutions.co.uk

esd-protection.com

eqweqwewqewqewq.com

jovehome.com

dibujoart.com

fuy3.com

hthg172.com

crovv-creek.com

cannyok.online

inlook24.com

minionenterprises.net

doralfoundationssale.com

higgyspianobar.com

abundantproduction.com

agriseats.tech

diwolei.com

enwaav.tech

combienes.com

josiil.com

zweniprojects.africa

criplogistic.online

nerroir.com

blurockindustry.com

imaginaitonlibrary.com

ahavahfn.com

dougrushinglistings.com

leadsintolistings.com

alpheusmangale.com

Targets

- Target
  
  SecuriteInfo.com.Exploit.MathType-Obfs.Gen.25508.5883.xlsx
- Size
  
  250KB
- MD5
  
  ba0a934b6dd5af65ca9a82782d44e843
- SHA1
  
  5957a4921c66e0bfae31d096e2a86a9c73feb5b0
- SHA256
  
  0b97d2123754dc9e52e88001fc59c0343b37965172255bcc4b1d592c0df69309
- SHA512
  
  989872eecb46877b649e6a4b17c79a6a4feb27b140aad43ff4d9215c364a2f94ec40fba3b25e34b68b7334adb76805daf434ec6eb6c99ff44bc7928f87162005
- SSDEEP
  
  6144:yDZ+RwPONXoRjDhIcp0fDlavx+W26nARy0f/8v:y+/q
Score

10^/10

formbook pr28 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookpr28ratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy