formbook | dfb75215e1d8a58d0daa685abba7dd08a979e2a86944b01bbac06e32bb905e29 | Triage

Submit
Reports

Overview

overview

Static

static

1

53f32eb1e2...2c.xls

windows7-x64

53f32eb1e2...2c.xls

windows10-2004-x64

1

Sharing

General

Target

625c489b71a4a7b7dc61dc3121368f02.bin
Size

912KB
Sample

230331-bttnpsgb56
MD5

c36feba16c5a113237c90899cab99419
SHA1

aafd0452faf74ef7e634a24fb297df053a13aa64
SHA256

dfb75215e1d8a58d0daa685abba7dd08a979e2a86944b01bbac06e32bb905e29
SHA512

8d548209de3ef6b55d6f2bb2e24be4ca84fe134b8275eb746b87b746b5bf57a14e35afe30cd48f128d62b189d267f866b603f92ae9db3fb4917f2f9e12acb3ea
SSDEEP

24576:iBeUOiiKRCa8JBERkJrTrcRSD9hqf0oVkIjIBMND:iB4aWi2JDJBkVVEBMND

Score

10^/10

formbook purecrypter ar73 downloader loader rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

53f32eb1e2023b9346427d2111b0e4ac33ff4592384a1f0dae3dd5fc90dc4b2c.xls

Resource

win7-20230220-en

formbook purecrypter ar73 downloader loader rat spyware stealer trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

53f32eb1e2023b9346427d2111b0e4ac33ff4592384a1f0dae3dd5fc90dc4b2c.xls

Resource

win10v2004-20230220-en

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

purecrypter

C2

http://192.3.215.60/uo7/Cbqta.png

Extracted

Family

formbook

Version

4.1

Campaign

ar73

Decoy

classgorilla.com

b6817.com

1wwuwa.top

dgslimited.africa

deepwaterships.com

hkshshoptw.shop

hurricanevalleyatvjamboree.com

ckpconsulting.com

laojiangmath.com

authenticityhacking.com

family-doctor-53205.com

investinstgeorgeut.com

lithoearthsolution.africa

quickhealcareltd.co.uk

delightkgrillw.top

freezeclosettoilet.com

coo1star.com

gemgamut.com

enrichednetworksolutions.com

betterbeeclean.com

kbmstr.com

colorusainc.com

five-dollar-meals.com

baozhuang8.com

la-home-service.com

innovantexclusive.com

chateaudevillars.co.uk

echadholisticbar.com

naijacarprices.africa

4652.voto

kraftheonz.com

ingrambaby.com

braeunungsoel.ch

sweetcariadgifts.co.uk

kui693.com

akatov-top.ru

epollresearch.online

cupandsaucybooks.com

arredobagno.club

gt.sale

dskincare.com

cursosemcasa.site

leaf-spa.net

deathbeforedeceit.com

azvvs.com

laptops-39165.com

ccwt.vip

011965.com

mtevz.online

jacksontcpassettlement.com

aldeajerusalen.com

kellnovaglobalfood.info

alphametatek.online

lcssthh.com

dumelogold9ja.africa

d-storic.com

mogi.africa

ghostt.net

aksharsigns.online

goglucofort.com

b708.com

controlplus.systems

lightandstory.info

invstcai.sbs

2348x.com

Targets

- Target
  
  53f32eb1e2023b9346427d2111b0e4ac33ff4592384a1f0dae3dd5fc90dc4b2c.xls
- Size
  
  1.0MB
- MD5
  
  625c489b71a4a7b7dc61dc3121368f02
- SHA1
  
  a36ef17d7c854bd238b6113148b8ec11f54286d7
- SHA256
  
  53f32eb1e2023b9346427d2111b0e4ac33ff4592384a1f0dae3dd5fc90dc4b2c
- SHA512
  
  93a0dd13791b1ab3db705c6f74ea820c120a95ae041a6186474c16b19fe1c6d44d0b9ef7a816a47f71c82847b5f7941af88eb1b964dba513fc89c9eb800e2240
- SSDEEP
  
  24576:lLKiSSMMednE8akAmmjmRakAmmjmw+MXUlHeA2222222222222222222222K2D0z:lLK2Mnaaoeaaoz+MX7TZVAw
Score

10^/10

formbook purecrypter ar73 downloader loader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Command-Line Interface

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookpurecrypterar73downloaderloaderratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy