formbook | 9406c764fa44815b3cb4c105f2cc051dd2e764086ec7df66e49992e5c9681f01 | Triage

Submit
Reports

Overview

overview

Static

static

1

GXB032199034.js

windows7-x64

GXB032199034.js

windows10-2004-x64

Sharing

General

Target

GXB032199034.js
Size

2.7MB
Sample

230808-glp87scd5s
MD5

528d4b33434e3c8ce689f137dba1c894
SHA1

09cf5206b5b80e2cf130a313699cd50f3d62709d
SHA256

9406c764fa44815b3cb4c105f2cc051dd2e764086ec7df66e49992e5c9681f01
SHA512

706251e9e9dd62b30268f4a9c0888de390d201ae4af0b0725358efe4399db2404e850195678495b857d66a76a831a65849f04a6cc7b28735a42b5a04e8604486
SSDEEP

6144:STNgGWMXjQS3H1WfCovS9TuaDqFBpgU5MXZDJ+5svwXJ6ho1LpEieK4W2WxzD2pi:qtid

Score

10^/10

formbook wshrat me15 persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

GXB032199034.js

Resource

win7-20230712-en

formbook wshrat me15 persistence rat spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

GXB032199034.js

Resource

win10v2004-20230703-en

formbook wshrat me15 persistence rat spyware stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

me15

Decoy

thegrill253.com

arthousecorp.com

acre-com.com

dreambarnhollow.com

winwin220693.online

shinohtrade.com

blockcchain.help

8hx3.vip

lifeshinelearning.com

havencoinvestmentgroup.com

thebesthomehacks.com

the-country-wiki.com

xskt.club

sunrisemedia.space

crecrown.com

0hpail.cyou

artwelding.store

psilome.com

layerbabuena.club

miras.shop

thephdplanner.com

ffbet.city

phoenicianlabshealth.com

sdfikb.xyz

elegantmansion.com

sahajayatra.com

30639.club

spacesfor2.com

kremenergy.com

parkjitter.site

bsjiansuji.com

jeepcause.site

respectify.info

berluscoin.xyz

fathersdaysale.today

xn--ylk-8la7juk.com

vx88.lat

capacitorfaks.com

rekrutmenbumn.com

wheatgrass.expert

firatcelik.shop

transformer.gallery

jbqqb0.boats

longrhombus.com

barbariluxbar.com

zebei01.com

evaluadordemarca.digital

thefirehunter.com

tjela.com

6132023.top

kkutd.club

etihadpaper.com

hn856.vip

departmentfx.com

rmindset.com

signsandfleet.com

myzanzibar.estate

samuelzjenkins.icu

yoixuvniytdm.com

nasswallet.krd

ngtcsh.ink

tinytribecollective.com

360elitemotions.com

mgc0o4.cyou

xiaoao.asia

Extracted

Family

wshrat

C2

http://45.90.222.131:7121

Targets

- Target
  
  GXB032199034.js
- Size
  
  2.7MB
- MD5
  
  528d4b33434e3c8ce689f137dba1c894
- SHA1
  
  09cf5206b5b80e2cf130a313699cd50f3d62709d
- SHA256
  
  9406c764fa44815b3cb4c105f2cc051dd2e764086ec7df66e49992e5c9681f01
- SHA512
  
  706251e9e9dd62b30268f4a9c0888de390d201ae4af0b0725358efe4399db2404e850195678495b857d66a76a831a65849f04a6cc7b28735a42b5a04e8604486
- SSDEEP
  
  6144:STNgGWMXjQS3H1WfCovS9TuaDqFBpgU5MXZDJ+5svwXJ6ho1LpEieK4W2WxzD2pi:qtid
Score

10^/10

formbook wshrat me15 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Formbook payload
  rat
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Blocklisted process makes network request
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookwshratme15persistenceratspywarestealertrojan

behavioral2

formbookwshratme15persistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy