formbook | baaf33dc951650d56f7604d13ee932371279fef9655f8e55a900c30007ed09c4 | Triage

Submit
Reports

Overview

overview

Static

static

1

Purchase O...83.xls

windows7-x64

Purchase O...83.xls

windows10-2004-x64

1

Sharing

General

Target

Purchase Order - R0136983.xls
Size

1.3MB
Sample

230328-g141xahc83
MD5

00950549802eb44db9b3d88778f8d0e4
SHA1

a427f038b5bcf7d745a5ea894464d733f5d60ae2
SHA256

baaf33dc951650d56f7604d13ee932371279fef9655f8e55a900c30007ed09c4
SHA512

8b2dcdab764327cfaa26c6dcce27234fe308c81c5a901079d343fee69d35e12929e1c7893480472901c26c39cb60db5d07c694301ce9052925ee271e1941d315
SSDEEP

24576:rLKJSSMMednEhakAmmjmFakAmmjmF+MXU/akAmmjmU+MXUt2222222222222222H:rLKzMyaaoWaaoK+MXoaaof+MX0tL

Score

10^/10

formbook gn35 rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Purchase Order - R0136983.xls

Resource

win7-20230220-en

formbook gn35 rat spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

Purchase Order - R0136983.xls

Resource

win10v2004-20230220-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gn35

Decoy

igusa.top

1cweb.online

ifoundmymind.com

highlightscorner.africa

kareeberg.com

conjurai.com

airforcevillagesinc.space

3dprintingpro.net

montelent.africa

willowscatsitting.co.uk

dental-implants-64653.com

byunfussy.com

jbpaintsolutions.com

caliner-bebe.com

hjd54c.com

ronabarandgrill.co.uk

financechainz.com

jsqualitycars.com

cortinasagave.store

barrowfordceltic.org.uk

juliezivah.com

awpl.xyz

goiqmg.shop

ghnrx.com

anantroop.com

gmkmc.com

reinifix.net

incus.top

corporaterelocatorslc.com

ruabsent.net

hanaulman.com

hyrxo.win

asiacrunch.com

cashpostemail.com

skegnesstaxiskegness.co.uk

independentdentistnetwork.com

boilerdenver.com

swissmadegoldwatches.com

fashionworldgame.com

crowflora.info

theneighbourhoodbagel.com

lehigh-valley-seo.com

dallasdailynews.online

habaker.co.uk

ldkj9qq.vip

urbanandcountryplumbers.africa

cpaexperts.net

everpresent-breathalysers.click

goods-servicestax.com

kevingarystaubdp.com

hhxll.com

justpeachiephotos.com

boxpartenrs.com

kyawscompany.com

fortismedtech.com

ise58.com

careofanimals.se

gfdopi.xyz

isotax.co.uk

hellafilth.com

stroudwildlifesurvey.org.uk

digiarchi.com

flamenspices.com

elektrik.plus

hollyweedtribune.com

Targets

- Target
  
  Purchase Order - R0136983.xls
- Size
  
  1.3MB
- MD5
  
  00950549802eb44db9b3d88778f8d0e4
- SHA1
  
  a427f038b5bcf7d745a5ea894464d733f5d60ae2
- SHA256
  
  baaf33dc951650d56f7604d13ee932371279fef9655f8e55a900c30007ed09c4
- SHA512
  
  8b2dcdab764327cfaa26c6dcce27234fe308c81c5a901079d343fee69d35e12929e1c7893480472901c26c39cb60db5d07c694301ce9052925ee271e1941d315
- SSDEEP
  
  24576:rLKJSSMMednEhakAmmjmFakAmmjmF+MXU/akAmmjmU+MXUt2222222222222222H:rLKzMyaaoWaaoK+MXoaaof+MX0tL
Score

10^/10

formbook gn35 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookgn35ratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy