formbook | 5d876d62f1291cfc7bf91819bd1fe4ba4da76828e7542704fd2f2605a5fa39b7 | Triage

Submit
Reports

Overview

overview

Static

static

1

Employee M...rt.vbs

windows7-x64

Employee M...rt.vbs

windows10-2004-x64

6

Sharing

General

Target

Employee May performance report.vbs
Size

21KB
Sample

240611-xpr5zaxgll
MD5

eea263df06eedb62e8ef52449d443147
SHA1

7cdce2d9268039b378ad4aa43faa1b2f31824f2b
SHA256

5d876d62f1291cfc7bf91819bd1fe4ba4da76828e7542704fd2f2605a5fa39b7
SHA512

ced1a2bc7fe2bec45063b6a930bc7700502d8dfe33623e466a8917401a8f00b19ca0d37f47b0bbb15c21077c5d84b64760643a86b21f21e2d0a122d46aa829ab
SSDEEP

384:QphF0OupkJEIrWJIxrDhnbJ2JsEk2ZMPc6q:QphiOupkJRWJIxrlbQGElZMk6q

Score

10^/10

formbook guloader ty31 downloader execution persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Employee May performance report.vbs

Resource

win7-20240215-en

formbook guloader ty31 downloader execution persistence rat spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Employee May performance report.vbs

Resource

win10v2004-20240508-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ty31

Decoy

jejakunik.com

inb319.com

jifsjn.buzz

gkyukon.site

43443.cfd

cogil69id.com

oeaog.com

lpgatm.com

mymarketsales.com

tomclk.icu

404417.online

nysconstruction.com

ourwisequote.com

ahsanadvisory.com

ottawaherps.com

forevermust.com

apartments-for-rent-47679.bond

kdasjijaksdd.icu

buthaynah.com

manggungjayakanopi.com

cookygan.com

regalessencebeautystudio.com

material.directory

szxart.xyz

ykdbyjk.xyz

hankahve.com

tiituitdsa.net

avantbrews.com

springpace.com

seriesjeans.com

technikwunder.com

angellsonline.com

soujany.com

buysleepp.com

voltvanbage.com

qdhaohuisuan.com

bluedolphinshop.com

aguanegocios.com

abstractdiffusion.com

bahisanaliz16.xyz

weight-loss-34761.bond

x216.icu

twmallll.com

poalsdji.buzz

agtsolargrowth.biz

pixelcloudtec.com

0512155.com

mypsychedeliceducation.com

0306951.top

screw-air-compressor.com

10140wildhawk.com

antheaclinic.com

tppclients.com

needpickleball.com

iraq-visions.com

rtpbonanza138.skin

wjzjs.com

dw6msr8.icu

lepriossa.com

tiktokglobal.shop

youwu.autos

tripshipglobal.com

ncpekingducktogo.com

winbd24.com

xiaobanhome.com

Targets

- Target
  
  Employee May performance report.vbs
- Size
  
  21KB
- MD5
  
  eea263df06eedb62e8ef52449d443147
- SHA1
  
  7cdce2d9268039b378ad4aa43faa1b2f31824f2b
- SHA256
  
  5d876d62f1291cfc7bf91819bd1fe4ba4da76828e7542704fd2f2605a5fa39b7
- SHA512
  
  ced1a2bc7fe2bec45063b6a930bc7700502d8dfe33623e466a8917401a8f00b19ca0d37f47b0bbb15c21077c5d84b64760643a86b21f21e2d0a122d46aa829ab
- SSDEEP
  
  384:QphF0OupkJEIrWJIxrDhnbJ2JsEk2ZMPc6q:QphiOupkJRWJIxrlbQGElZMk6q
Score

10^/10

formbook guloader ty31 downloader execution persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookguloaderty31downloaderexecutionpersistenceratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy