formbook | 5f195b9a20724e347f6a90bceb30081141ddceaf0fbee468cbd120d3d4425717 | Triage

Submit
Reports

Overview

overview

Static

static

Updated ORDER.docx

windows10-1703-x64

1

Updated ORDER.docx

windows7-x64

Updated ORDER.docx

windows10-2004-x64

1

Sharing

General

Target

Updated ORDER.docx
Size

11KB
Sample

230220-nf4b7sag64
MD5

98d58338e27f9aad2ef3c5a0a4df20ab
SHA1

1af7e9a0b504f116db06090cb229c64b54a607b8
SHA256

5f195b9a20724e347f6a90bceb30081141ddceaf0fbee468cbd120d3d4425717
SHA512

dea40ac1624aa1ee9ab743c897a1f00764ad6722b9b9a329fcdcccdab9319ea85c5512c7a63fb440b0d5b55e67270ba1a417c24fb0176551021ad26ee7e2c0db
SSDEEP

192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCaWgk9Vlp:aNxUyn0i13LROEiOLkX6Ujnw+3NWgaVr

Score

10^/10

formbook ho62 persistence rat spyware stealer trojan websettings

Static task

static1

Behavioral task

behavioral1

Sample

Updated ORDER.docx

Resource

win10-20220812-en

windows10-1703-x64

5 signatures

600 seconds

Behavioral task

behavioral2

Sample

Updated ORDER.docx

Resource

win7-20220812-en

formbook ho62 persistence rat spyware stealer trojan

windows7-x64

27 signatures

600 seconds

Behavioral task

behavioral3

Sample

Updated ORDER.docx

Resource

win10v2004-20220901-en

windows10-2004-x64

5 signatures

600 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://bbBBBBBBBuuuBBBBEEEEEBBBBBBByyyyYYYYYYYYYWWWWWWwwssssDDDDDDDDDDDPPPpppppoooOOOPPOOssddSDDDD@1332625003/O--O.DOC

Extracted

Family

formbook

Version

4.1

Campaign

ho62

Decoy

aqawonky.com

ancachsroadsideassistance.com

artologycreatlive.com

olesinfo.africa

lovebreatheandsleep.com

friendsofdragonsprings.com

homecomingmums.wiki

hg222.bet

precision-spares.co.uk

generalhospitaleu.africa

touchstone4x4.africa

dynamator.com

dental-implants-52531.com

efefear.buzz

bentonapp.net

89luxu.com

bridgesonelm.com

acesaigon.online

instantapprovals.loans

evuniverso.com

kasoraenterprises.com

instasteamer.com

granolei.com

iamavisioniar.site

beachexplo.com

ynametro.com

littlegallery-rovinj.com

27og.com

horrorcity.online

zexo.africa

perdeumane.com

drugsaddiction.co.uk

tickleyourfancy.africa

jimyhq.top

rajputnetwork.co.uk

lacuspidehn.com

bestxdenotecyby.top

gg10siyahposet.xyz

biorigin.co.uk

jye-group.com

digito.exposed

eternalstw.com

schjetne.dev

climateviking.com

easysaldoya.xyz

1233332.xyz

centerverified.online

lezzetyemekfabrikasi.com

wzshayang.com

cloudadonis.com

zxpz6.com

alifecube.com

induscontrolpcb.site

golfingineurope.com

ducksathomephotos.com

aimeesbellaboutique.com

justrebottle.com

hachettejeunesse.pro

238142.com

casabiancapanama.com

dohenydesalination.com

1-kh.com

cdhptor.xyz

island6.work

ehirtt.com

Targets

- Target
  
  Updated ORDER.docx
- Size
  
  11KB
- MD5
  
  98d58338e27f9aad2ef3c5a0a4df20ab
- SHA1
  
  1af7e9a0b504f116db06090cb229c64b54a607b8
- SHA256
  
  5f195b9a20724e347f6a90bceb30081141ddceaf0fbee468cbd120d3d4425717
- SHA512
  
  dea40ac1624aa1ee9ab743c897a1f00764ad6722b9b9a329fcdcccdab9319ea85c5512c7a63fb440b0d5b55e67270ba1a417c24fb0176551021ad26ee7e2c0db
- SSDEEP
  
  192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCaWgk9Vlp:aNxUyn0i13LROEiOLkX6Ujnw+3NWgaVr
Score

10^/10

formbook ho62 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

formbookho62persistenceratspywarestealertrojan

behavioral3

© 2018-2024

Terms | Privacy