formbook | 574fce61f6fcf5e16be3fd8a77a56aeeb4d7a8868e2dccd0225c9c8c426e2913 | Triage

Submit
Reports

Overview

overview

Static

static

Sample.docx

windows7-x64

Sample.docx

windows10-2004-x64

1

Sharing

General

Target

Sample.docx.doc
Size

10KB
Sample

230126-jzz2nsda72
MD5

884bf256520434bf9bdbd7a760176961
SHA1

2c79b5ca06f153b41a93d8ace4a7713d59621d9d
SHA256

574fce61f6fcf5e16be3fd8a77a56aeeb4d7a8868e2dccd0225c9c8c426e2913
SHA512

8216274591743f8f995cfa39753fb06f656d04fb676cde84d28f722adf3bcbe55330639344a898e37576dc71397b0743ecf83cbdbbc6d1c0a85596ee68bb92bd
SSDEEP

192:ScIMmtP8ar5G/bfIdTO3e/YnamWBX8ex6y3slZ:SPXt4ATO9nosMsH

Score

10^/10

formbook w12e rat spyware stealer trojan websettings

Static task

static1

Behavioral task

behavioral1

Sample

Sample.docx

Resource

win7-20221111-en

formbook w12e rat spyware stealer trojan

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

Sample.docx

Resource

win10v2004-20220812-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://000000001000000000000020000000000001000000000@104.168.46.125/fresh/qwsdffhfhcvxcdgdfhfgjfjfgdfdfgxcvcxv.doc

Extracted

Family

formbook

Version

4.1

Campaign

w12e

Decoy

poshsalon.co.uk

ideeksha.net

eaglebreaks.com

exileine.me.uk

saveittoday.net

ceon.tech

estateagentswebsitedesign.uk

faropublicidade.com

depression-treatment-83678.com

informationdata16376.com

wirecreations.africa

coolsculpting-pros.life

ethoshabitats.com

amtindividual.com

gotoken.online

cherny-100-imec-msu.ru

historicaarcanum.com

gpsarhealthcare.com

kx1257.com

abdullahbinomar.com

utrem.xyz

khangkiencharcoal.com

fabvance-demos.online

jima68.com

1206b.com

guardianshipattorneyhouston.com

imziii.com

gaya-zohar.com

affluencegroup.net

xn--l3cj0azbal8cf5kobm.net

apogeebk.com

kwaranewsupdate.africa

buatosh.top

thenextlevelup.net

kristianstadspelforening.se

excertesi.com

swcctv.co.uk

actiontoyhouse.com

eisenhowerloan.com

brightupproduce.com

lojaedesign.com

kecheblog.com

vigilant-e.africa

internationaltaekwondo.net

annabenedetto.com

eboomp.pics

groupeverlaine.app

ebwwn.com

grasshopperspirit.online

getsafu.com

car-deals-75816.com

roddgunnstore.online

aiako.pro

homasp.club

bingo1818.xyz

work2050.co.uk

itgroup1.online

beyou-us.com

forthewitches.biz

felue.com

macroapi.net

hsfinancialservice.com

eoresla.club

alloahucondos.com

hkifarm.com

Targets

- Target
  
  Sample.docx.doc
- Size
  
  10KB
- MD5
  
  884bf256520434bf9bdbd7a760176961
- SHA1
  
  2c79b5ca06f153b41a93d8ace4a7713d59621d9d
- SHA256
  
  574fce61f6fcf5e16be3fd8a77a56aeeb4d7a8868e2dccd0225c9c8c426e2913
- SHA512
  
  8216274591743f8f995cfa39753fb06f656d04fb676cde84d28f722adf3bcbe55330639344a898e37576dc71397b0743ecf83cbdbbc6d1c0a85596ee68bb92bd
- SSDEEP
  
  192:ScIMmtP8ar5G/bfIdTO3e/YnamWBX8ex6y3slZ:SPXt4ATO9nosMsH
Score

10^/10

formbook w12e rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookw12eratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy