formbook | 33b5dd91de8cc8374fd126d232fa1e466aab16ed580a655ff972c34a226d71ae | Triage

Submit
Reports

Overview

overview

Static

static

3

DHLExpress...ER.exe

windows7-x64

DHLExpress...ER.exe

windows10-2004-x64

Sharing

General

Target

DHLExpressShippingConfirmation Documentis--787490DER.exe
Size

1.7MB
Sample

230601-saffeafb51
MD5

d55da7b53f6783640242d92a3f791a3e
SHA1

8a9da2c31da5dd37427497ccff63370b4bca580f
SHA256

33b5dd91de8cc8374fd126d232fa1e466aab16ed580a655ff972c34a226d71ae
SHA512

73bb9755c1dfa1ac64846b37aed1a55879d57516fd8ffd5a196b8bdc2405e402b8511b4ec283c0cfcbb1a84b003affe0047909c5036b9d4138ba954f2018d244
SSDEEP

24576:hJNUbsGNNYY4EiBJyHN/nvYCw3LY7CEBbJ0P1WseRHIEBuyVtjvAjQ77ewJtf:8JaKzWP1sHxE

Score

10^/10

formbook cg64 persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

DHLExpressShippingConfirmation Documentis--787490DER.exe

Resource

win7-20230220-en

formbook cg64 persistence rat spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

DHLExpressShippingConfirmation Documentis--787490DER.exe

Resource

win10v2004-20230220-en

formbook cg64 persistence rat spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cg64

Decoy

izzicasino-bsm3.top

efefscatter.buzz

babyshowers.rsvp

hjdbbe.com

lanystory.com

dff8888.com

jewelryvente.com

youbookmusic.com

climate2099.com

efsanekofte.com

krhypnotherapycoaching.com

lojasmagictoys.site

91she448.xyz

actisetmoi.com

111s998.com

arifdm.com

impactstudio.info

samkitch.co.uk

bizm.xyz

fifainu96.com

agenciaibdig.online

frostdal.com

greenwath.com

dnmk2t.site

bumubumu.co.uk

escortboyparisfrance.com

deliciousdelicacies.website

knoxvilleisurf.com

emivn-pay.com

ethdefi.homes

dokusyodeyutakani.com

fspericias.net

17iyou.com

officialukcertificates.co.uk

cese2dz.com

bonafidewhiskeyenthusiast.net

anderbulk.info

tradesupplyboutique.net

mecxon.online

informationdata65319.com

fngurfgakwetjufis.com

iyjnea.info

availablespinchild.com

lonunity.africa

mrbenson.co.uk

gzpujinp.com

datascience.gallery

rentcafehomeiq.com

automakebr.com

lihongkaisneaker.shop

delaunaydonation.com

james-beard.com

appet.xyz

collierswoodsurgery.co.uk

nnkkd.com

larkhrconsulting.com

allnoblehousing.net

associations-chamonix.com

ice-yellow.net

1wodyx.top

mozanschools.africa

grassfence.online

fisted-editorialised.click

gbsmilano.com

aaawealthy.art

Targets

- Target
  
  DHLExpressShippingConfirmation Documentis--787490DER.exe
- Size
  
  1.7MB
- MD5
  
  d55da7b53f6783640242d92a3f791a3e
- SHA1
  
  8a9da2c31da5dd37427497ccff63370b4bca580f
- SHA256
  
  33b5dd91de8cc8374fd126d232fa1e466aab16ed580a655ff972c34a226d71ae
- SHA512
  
  73bb9755c1dfa1ac64846b37aed1a55879d57516fd8ffd5a196b8bdc2405e402b8511b4ec283c0cfcbb1a84b003affe0047909c5036b9d4138ba954f2018d244
- SSDEEP
  
  24576:hJNUbsGNNYY4EiBJyHN/nvYCw3LY7CEBbJ0P1WseRHIEBuyVtjvAjQ77ewJtf:8JaKzWP1sHxE
Score

10^/10

formbook cg64 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcg64persistenceratspywarestealertrojan

behavioral2

formbookcg64persistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy