formbook | 3240a633ef29ef2db485bcdc394e9b09012e9f958a9933076a8aa70f7b0730e0 | Triage

Submit
Reports

Overview

overview

Static

static

1

4693105146...1b.xls

windows7-x64

4693105146...1b.xls

windows10-2004-x64

1

Sharing

General

Target

19ec50c2819ed32422aac6d2e429fb86.bin
Size

822KB
Sample

230330-bc8rasae33
MD5

3bb52c63cbb0571b99bf9978e3c1ad2d
SHA1

8792a061f632629b63b2dbe782c6c0294c5b6fde
SHA256

3240a633ef29ef2db485bcdc394e9b09012e9f958a9933076a8aa70f7b0730e0
SHA512

a00467132c8b8b6b1b2ad7a61bc7f8203467e9e4f3ceb768810a91a3c8219d379c66001e5cd5283ca6959893bbb8a577d4e0832ef35504bb8059e602c809dab1
SSDEEP

24576:GdTA+4MjLNCYqhVgcXbLihBBZmkOSJeZk5LF:QTA+LBKgcrLCBBBJIALF

Score

10^/10

formbook ar73 rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

469310514686913b88c9480e8c84039e3866a339e0ed961371fb2d1a8719fb1b.xls

Resource

win7-20230220-en

formbook ar73 rat spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

469310514686913b88c9480e8c84039e3866a339e0ed961371fb2d1a8719fb1b.xls

Resource

win10v2004-20230220-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ar73

Decoy

classgorilla.com

b6817.com

1wwuwa.top

dgslimited.africa

deepwaterships.com

hkshshoptw.shop

hurricanevalleyatvjamboree.com

ckpconsulting.com

laojiangmath.com

authenticityhacking.com

family-doctor-53205.com

investinstgeorgeut.com

lithoearthsolution.africa

quickhealcareltd.co.uk

delightkgrillw.top

freezeclosettoilet.com

coo1star.com

gemgamut.com

enrichednetworksolutions.com

betterbeeclean.com

kbmstr.com

colorusainc.com

five-dollar-meals.com

baozhuang8.com

la-home-service.com

innovantexclusive.com

chateaudevillars.co.uk

echadholisticbar.com

naijacarprices.africa

4652.voto

kraftheonz.com

ingrambaby.com

braeunungsoel.ch

sweetcariadgifts.co.uk

kui693.com

akatov-top.ru

epollresearch.online

cupandsaucybooks.com

arredobagno.club

gt.sale

dskincare.com

cursosemcasa.site

leaf-spa.net

deathbeforedeceit.com

azvvs.com

laptops-39165.com

ccwt.vip

011965.com

mtevz.online

jacksontcpassettlement.com

aldeajerusalen.com

kellnovaglobalfood.info

alphametatek.online

lcssthh.com

dumelogold9ja.africa

d-storic.com

mogi.africa

ghostt.net

aksharsigns.online

goglucofort.com

b708.com

controlplus.systems

lightandstory.info

invstcai.sbs

2348x.com

Targets

- Target
  
  469310514686913b88c9480e8c84039e3866a339e0ed961371fb2d1a8719fb1b.xls
- Size
  
  933KB
- MD5
  
  19ec50c2819ed32422aac6d2e429fb86
- SHA1
  
  38bd74ea54373956224126d28552b6895cd1e1f7
- SHA256
  
  469310514686913b88c9480e8c84039e3866a339e0ed961371fb2d1a8719fb1b
- SHA512
  
  dfd894a1eaeecf0174896fb638ae47ea32e494b7cda36899852becb7496479a3caad4501e12ce8b2ec5ad47f2b58f4db6af28a9392dd132e3c4368dd1336a2b1
- SSDEEP
  
  24576:eLKbSSMMednEu+MXU6akAmmjm7+MXUJ3GX222222222222222222222a22jieKI:eLKlMl+MXZaaow+MXpSeKIA
Score

10^/10

formbook ar73 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookar73ratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy