formbook | e68ea041c96b370e4d00b77da341aef26e7e25403198f5a49e9f9e310f66dc90 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

order703233.xls

windows7-x64

order703233.xls

windows10-2004-x64

1

Sharing

General

Target

order703233.xls
Size

1.1MB
Sample

230704-hvx6vada3t
MD5

8cc4e73f5ceb73680f5f59b09997d8a3
SHA1

263fb5f059b972f779b4f5d14fb8e674a5b6c799
SHA256

e68ea041c96b370e4d00b77da341aef26e7e25403198f5a49e9f9e310f66dc90
SHA512

6dc39b4d0065b9bddd34ee65bd2369fd61d6b14fe4e2dd69aefca48ace7b6b974fb8c151b85d7bc50ceebe44b935b15358126cf876e95720da975e76fb792613
SSDEEP

24576:Ez0w6sYz+o0xfsjcUos+xKXw6s5zDo0xfsjcUos+xKN3tYjYqJP46w7B:ET6sYOxfsjdos+xKA6s5Txfsjdos+xKp

Score

10^/10

formbook m42i persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

order703233.xls

Resource

win7-20230703-en

formbook m42i persistence rat spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

order703233.xls

Resource

win10v2004-20230703-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m42i

Decoy

kosporttraining.com

z19zgcn.site

kaka225.click

85471xii.net

iuplqle.xyz

bengtsberg.net

bk2y0rmx.site

hotspudqec.space

dreamshospital.com

studio-glinka.com

garotosdatv1.online

au-t-global.com

0kxm.com

medsuppanam.com

sameypaige.com

osstshirts.com

xkrujqqo.shop

hk2r.top

rakebacksites.com

ledxiu.xyz

skywardcaresolutions.com

georgiapoolrepair.com

m-1025bets10.com

banco-santander.info

minnesotatootall.com

kddd.top

jiaxiangxh.com

powertech4u.com

keostrife.com

gerianna.info

zds120.net

atempre.tech

knackwoodcraft.com

xbxmzg.com

foiplusvision.com

coastalfacepaint.com

thericklowe.com

68brbn.com

cnmzsz.com

homzinsurance.com

usekalegpt77.com

kickreseme.com

wpdisk.online

dreadfullstack.com

security-cameras-uk-en.bond

passionate-lovee.info

lks-me.com

prixmalins.com

wanitabaikbaik.com

hatcherpasscombinationtours.com

acmanu-us.site

giandomenicodonatelli.com

lavagame789.win

zishiying.net

biancagift.com

aerillon.com

ndjkshdooeiowoieui.site

wsnclaw.com

vaughanautoappraisers.com

1bysh.top

011yd.com

auraduha.com

brandof9.com

papeleriaentrecolores.com

brachyurus.com

Targets

- Target
  
  order703233.xls
- Size
  
  1.1MB
- MD5
  
  8cc4e73f5ceb73680f5f59b09997d8a3
- SHA1
  
  263fb5f059b972f779b4f5d14fb8e674a5b6c799
- SHA256
  
  e68ea041c96b370e4d00b77da341aef26e7e25403198f5a49e9f9e310f66dc90
- SHA512
  
  6dc39b4d0065b9bddd34ee65bd2369fd61d6b14fe4e2dd69aefca48ace7b6b974fb8c151b85d7bc50ceebe44b935b15358126cf876e95720da975e76fb792613
- SSDEEP
  
  24576:Ez0w6sYz+o0xfsjcUos+xKXw6s5zDo0xfsjcUos+xKN3tYjYqJP46w7B:ET6sYOxfsjdos+xKA6s5Txfsjdos+xKp
Score

10^/10

formbook m42i persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookm42ipersistenceratspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy