formbook | 94e3996206fdc70b2ed95a87672b3516eac8a41d25c2c3659ed7933399bfa287 | Triage

Submit
Reports

Overview

overview

Static

static

1

INVOICENoK...x.docx

windows7-x64

INVOICENoK...x.docx

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

Target

INVOICENoKTSPHIAUDIOdocx.docx
Size

10KB
Sample

230627-rmc1dafc81
MD5

10fff05223ad6d1bb04774da72f1d815
SHA1

c85b33926aafd563649ae22c6506212591d36b0a
SHA256

94e3996206fdc70b2ed95a87672b3516eac8a41d25c2c3659ed7933399bfa287
SHA512

3fb1aa53fbb6920a6f4fbc33cc176e2842f3c3634319741183aaa6aaf5741cb960a352322b5d2263b877026b699764b4e214746c074f91a58b39820ed36acb17
SSDEEP

192:gya0NI0ZmW6ARgZVPCK44AG9xXSJ+Ej70JY6KwHKcpkWY8cWeZF:gyXI0ZmW6ANK4499xXSJf70JY6H1Y8eF

Score

10^/10

formbook m42i persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

INVOICENoKTSPHIAUDIOdocx.docx

Resource

win7-20230621-en

formbook m42i persistence rat spyware stealer trojan

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

INVOICENoKTSPHIAUDIOdocx.docx

Resource

win10v2004-20230621-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m42i

Decoy

kosporttraining.com

z19zgcn.site

kaka225.click

85471xii.net

iuplqle.xyz

bengtsberg.net

bk2y0rmx.site

hotspudqec.space

dreamshospital.com

studio-glinka.com

garotosdatv1.online

au-t-global.com

0kxm.com

medsuppanam.com

sameypaige.com

osstshirts.com

xkrujqqo.shop

hk2r.top

rakebacksites.com

ledxiu.xyz

skywardcaresolutions.com

georgiapoolrepair.com

m-1025bets10.com

banco-santander.info

minnesotatootall.com

kddd.top

jiaxiangxh.com

powertech4u.com

keostrife.com

gerianna.info

zds120.net

atempre.tech

knackwoodcraft.com

xbxmzg.com

foiplusvision.com

coastalfacepaint.com

thericklowe.com

68brbn.com

cnmzsz.com

homzinsurance.com

usekalegpt77.com

kickreseme.com

wpdisk.online

dreadfullstack.com

security-cameras-uk-en.bond

passionate-lovee.info

lks-me.com

prixmalins.com

wanitabaikbaik.com

hatcherpasscombinationtours.com

acmanu-us.site

giandomenicodonatelli.com

lavagame789.win

zishiying.net

biancagift.com

aerillon.com

ndjkshdooeiowoieui.site

wsnclaw.com

vaughanautoappraisers.com

1bysh.top

011yd.com

auraduha.com

brandof9.com

papeleriaentrecolores.com

brachyurus.com

Targets

- Target
  
  INVOICENoKTSPHIAUDIOdocx.docx
- Size
  
  10KB
- MD5
  
  10fff05223ad6d1bb04774da72f1d815
- SHA1
  
  c85b33926aafd563649ae22c6506212591d36b0a
- SHA256
  
  94e3996206fdc70b2ed95a87672b3516eac8a41d25c2c3659ed7933399bfa287
- SHA512
  
  3fb1aa53fbb6920a6f4fbc33cc176e2842f3c3634319741183aaa6aaf5741cb960a352322b5d2263b877026b699764b4e214746c074f91a58b39820ed36acb17
- SSDEEP
  
  192:gya0NI0ZmW6ARgZVPCK44AG9xXSJ+Ej70JY6KwHKcpkWY8cWeZF:gyXI0ZmW6ANK4499xXSJf70JY6H1Y8eF
Score

10^/10

formbook m42i persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookm42ipersistenceratspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy