formbook | ee701c82b92562f01edbb96ef74f5db9b59ba479e87bdd01c75da61b94203e41 | Triage

Submit
Reports

Overview

overview

Static

static

1

03072024_1...A.docx

windows7-x64

03072024_1...A.docx

windows10-2004-x64

1

Sharing

General

Target

03072024_1606_02072024_DHL522918767AA.docx
Size

16KB
Sample

240703-tj9ahsydla
MD5

f97f213bb0f35c63379e436ed801f3cb
SHA1

a3d28a24d4b3e1a499873d295195bc41a5fd843d
SHA256

ee701c82b92562f01edbb96ef74f5db9b59ba479e87bdd01c75da61b94203e41
SHA512

ed8c715d6472b37d8874c4fba288f3c515a2b43bd7fbec8c4cad70f2e63d925d0daea27346be50a7aa4c5801399a8171a6a1f14b096c0725e6fc929482dcf4a4
SSDEEP

384:UyX/fCXWws8PL8wi4OEwH8TIbE91r2fRK/JYjvigf6vqsp:Uc/+j5P3DOqnYJGuvNf6vR

Score

10^/10

formbook ch25 execution rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

03072024_1606_02072024_DHL522918767AA.docx

Resource

win7-20240419-en

formbook ch25 execution rat spyware stealer trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

03072024_1606_02072024_DHL522918767AA.docx

Resource

win10v2004-20240508-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ch25

Decoy

alexandermartin.shop

nojku.xyz

vrbroadband.com

ahlinih.autos

lwkyg.com

clinicasantacruz.net

sdsuihe.com

salaryforex.com

educationvibrance.com

d49wy.rest

9vl6q6hi.asia

profabsystem.online

takleforcreators.com

alphaextract.xyz

glam55.com

78032.asia

wsmh66.com

dgcustomerfirst100.shop

13445.xyz

office-27.com

kubet11.center

pement.shop

googleov.com

12401.vip

e4c3e.xyz

8yu8xxzk.asia

rewritexrebirth.com

culturevista.com

ibizameltdown.com

pristina.xyz

tdyoul421z.xyz

jimvernon.life

642234.com

kayuikayuisayonara.com

zezefuture.com

gold-coin.pro

dahab-tech.com

frikicool.com

zenithlogisticsintl.com

cdncf.xyz

bintangplay.lol

asteknikservis.com

yiic.asia

qexrhqub.xyz

khalata.com

thebarflybook.com

weareonefilms.com

krgx2.rest

e11.online

7sjili09.com

179724.photos

sammichhousesd.com

gz-bau.com

hairbywendybarrios.shop

msefilo.com

radheyranidailyproduct.com

freathers.com

jarrydgoescaroling.com

cozyhavenfireplacedepot.com

758my.xyz

davidsfork.com

aigirls.studio

walterlewisfitsolutions.com

gayfuckpron.com

taimei-trql018.com

Targets

- Target
  
  03072024_1606_02072024_DHL522918767AA.docx
- Size
  
  16KB
- MD5
  
  f97f213bb0f35c63379e436ed801f3cb
- SHA1
  
  a3d28a24d4b3e1a499873d295195bc41a5fd843d
- SHA256
  
  ee701c82b92562f01edbb96ef74f5db9b59ba479e87bdd01c75da61b94203e41
- SHA512
  
  ed8c715d6472b37d8874c4fba288f3c515a2b43bd7fbec8c4cad70f2e63d925d0daea27346be50a7aa4c5801399a8171a6a1f14b096c0725e6fc929482dcf4a4
- SSDEEP
  
  384:UyX/fCXWws8PL8wi4OEwH8TIbE91r2fRK/JYjvigf6vqsp:Uc/+j5P3DOqnYJGuvNf6vR
Score

10^/10

formbook ch25 execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookch25executionratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy