formbook | 0e612f991709b9569a9baf7993d185955f6347c574effe5c72e51a9f96a7b301 | Triage

Sharing

General

Target

0e612f991709b9569a9baf7993d185955f6347c574effe5c72e51a9f96a7b301
Size

406KB
Sample

230718-havvzsgf65
MD5

1482780bd41df6d1dfe68b2629c26d08
SHA1

17145bdc0f9beeea6f8cf5791210d0fd486818d1
SHA256

0e612f991709b9569a9baf7993d185955f6347c574effe5c72e51a9f96a7b301
SHA512

e0fb5c4ae0ae98b231556950fd358feaebdd414f13e5dcf4eb6f3f77dd9ca5e5af930d04a362ceda9628b61029fa56d1659857dea7d3a1cab2ec8a94c0b974dd
SSDEEP

6144:TPXoDQpcUz+TfBDma1bJzSvPRehOGYJmcKeNq1umGANGc8b0:/WDfhNWRgJ8wkFA6b0

Score

10^/10

formbook guloader ms14 downloader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ms14

Decoy

adjoinstaff.online

kmmdznky.cfd

keyviewgroup.com

kidomarketing.com

jroxtqpq.cfd

jdevmx.com

genqaagz.cfd

1cdpwp.cfd

francegoldvip.com

2qy218.xyz

peterscanner.com

trullys.com

aniwatch.top

windyhillcnc.com

pokazhu.com

r74jsy.cfd

paulgadgets.com

lindanewtee.com

lasik-de-de-8808230.zone

critone.site

Targets

- Target
  
  0e612f991709b9569a9baf7993d185955f6347c574effe5c72e51a9f96a7b301
- Size
  
  406KB
- MD5
  
  1482780bd41df6d1dfe68b2629c26d08
- SHA1
  
  17145bdc0f9beeea6f8cf5791210d0fd486818d1
- SHA256
  
  0e612f991709b9569a9baf7993d185955f6347c574effe5c72e51a9f96a7b301
- SHA512
  
  e0fb5c4ae0ae98b231556950fd358feaebdd414f13e5dcf4eb6f3f77dd9ca5e5af930d04a362ceda9628b61029fa56d1659857dea7d3a1cab2ec8a94c0b974dd
- SSDEEP
  
  6144:TPXoDQpcUz+TfBDma1bJzSvPRehOGYJmcKeNq1umGANGc8b0:/WDfhNWRgJ8wkFA6b0
Score

10^/10

formbook guloader ms14 downloader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookguloaderms14downloaderratspywarestealertrojan