formbook | 91e84268a13b1d03dbf602c0ae560f7c883a6aff8ed7cef2f706f2197ab3caec | Triage

Submit
Reports

Overview

overview

Static

static

Invoice an...t.docx

windows7-x64

Invoice an...t.docx

windows10-2004-x64

1

Sharing

General

Target

Invoice and Packing List.docx
Size

10KB
Sample

230404-qzhwqahb8v
MD5

77366ba07edd55058c59d80acc56d2f8
SHA1

d9f2a22cb7e55bcc38967de8f1802934af77209b
SHA256

91e84268a13b1d03dbf602c0ae560f7c883a6aff8ed7cef2f706f2197ab3caec
SHA512

bf0590b2cc1d50866995ed27413c15f71adec7778078ff8037e4eb995038bedc9cbc7b0a4ff3ae3359a2bc74747265d43b448c458a7d9cf4037b94491ab9eccb
SSDEEP

192:ScIMmtPGT7G/bIwXOVOQTi55SEzBC4vNq6sM63j8p:SPXuT+xXOVOQWnhlqHjw

Score

10^/10

formbook ne28 rat spyware stealer trojan websettings

Static task

static1

Behavioral task

behavioral1

Sample

Invoice and Packing List.docx

Resource

win7-20230220-en

formbook ne28 rat spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

Invoice and Packing List.docx

Resource

win10v2004-20230220-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://00000000000OOOOOLLLLLLLL000000000000LLLLLLLOOOOO00000000000LLLLLLLOOOOO0000000000LLLLL00000000000OOOLLLLLLL@3221468051/x....xx.......doc

Extracted

Family

formbook

Version

4.1

Campaign

ne28

Decoy

basic-careitem.net

healstockton.com

groupetalentapro.com

geseconevent.com

adornmentwithadrienne.com

lazylynx.se

forestwerx.com

labishu.com

hilykan.com

beyondyoursenses.co.uk

inno-imc.com

driverrehab.online

mantlepies.co.uk

sicepat.net

kiwitownkids.com

infiniumsource.com

motorsolutionswithmakro.co.uk

6pg.shop

zijlont.xyz

corpusskencar.com

korthalsgriffonyorkshire.co.uk

hatchandneststudio.com

listestubenring.com

mynarcissist.co.uk

hfe2wr8zdi1.cfd

crackthecombination.com

cycw168.com

fren.pet

medicalcannabis.me.uk

locallooknh.com

dairecheese.com

celebrate.rsvp

foody-people.uk

11600yy.com

tuberider.africa

iamjlfreak.com

breadpartner.com

larrgestrreet.site

savethedateevents.uk

dongyoufood.com

jdmgarage.shop

commonthreadpatterns.com

ogadriver.africa

digitalfreakk.com

poshcompanyandsuites.net

gogh.live

easymediarealestate.com

brandpage.site

johnhallerconstruction.com

finemarken.com

dxyzcmag2020.com

greengrovetherapy.com

freshfruits.online

globalventureproject.info

themanxlobster.co.uk

conviord.com

goodpeoplegb1115.shop

christiesparis.com

pnc-verify-support1.com

cheerleader.social

forum-sanmonika.online

dulcescamus.com

thegolfteeshop.co.uk

dafabetvn.info

theredorchard.co.uk

Targets

- Target
  
  Invoice and Packing List.docx
- Size
  
  10KB
- MD5
  
  77366ba07edd55058c59d80acc56d2f8
- SHA1
  
  d9f2a22cb7e55bcc38967de8f1802934af77209b
- SHA256
  
  91e84268a13b1d03dbf602c0ae560f7c883a6aff8ed7cef2f706f2197ab3caec
- SHA512
  
  bf0590b2cc1d50866995ed27413c15f71adec7778078ff8037e4eb995038bedc9cbc7b0a4ff3ae3359a2bc74747265d43b448c458a7d9cf4037b94491ab9eccb
- SSDEEP
  
  192:ScIMmtPGT7G/bIwXOVOQTi55SEzBC4vNq6sM63j8p:SPXuT+xXOVOQWnhlqHjw
Score

10^/10

formbook ne28 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookne28ratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy