formbook

General

Target

vbc.exe
Size

823KB
Sample

230314-jd4gzaeb46
MD5

e67054066f3c12a83c34aadfcdb7c6d0
SHA1

59a85a5cec540c12c2e3e03877a5272f1188e11c
SHA256

7c641f905224b196dbcdabf2c154ebcfc8aba90033152e00661521339b074488
SHA512

d67e994e31559fdc9eb62d1aa957260af548a3f905314494aa241e2899754fe7043280cf4588c284da42a77ac55ee1534a0c41c8fa8d8a0da4805efd289e70b1
SSDEEP

24576:alDf6wlKqkJWFLlSCEPokFdFPesTwO6ht62l:alzEqlLUwkFdIRl

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d16k

Decoy

drinkag1pro.com

dermamedical.uk

northwheddonfarm.co.uk

ashleighj.com

kietaj.xyz

6tu04yd0.xyz

donutcosmetic.com

goldsell.xyz

betonxetek.ru

caplingerphotodrones.com

mp3cool3.net

diakonia.africa

addictsmovingmountainsinc.com

czghgdgs.com

highperwednesday.com

wagadvisor.co.uk

youhuidi.net

feastandfast.com

fp-events.net

1wkejm.top

Targets

- Target
  
  vbc.exe
- Size
  
  823KB
- MD5
  
  e67054066f3c12a83c34aadfcdb7c6d0
- SHA1
  
  59a85a5cec540c12c2e3e03877a5272f1188e11c
- SHA256
  
  7c641f905224b196dbcdabf2c154ebcfc8aba90033152e00661521339b074488
- SHA512
  
  d67e994e31559fdc9eb62d1aa957260af548a3f905314494aa241e2899754fe7043280cf4588c284da42a77ac55ee1534a0c41c8fa8d8a0da4805efd289e70b1
- SSDEEP
  
  24576:alDf6wlKqkJWFLlSCEPokFdFPesTwO6ht62l:alzEqlLUwkFdIRl
Score

10^/10

formbook d16k rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Deletes itself
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Blocklisted process makes network request

Deletes itself

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2