formbook | ed8e464b52a9d62400ba9b9e39fa37555e4b0db548487f56a5ea89b7bdcf9648 | Triage

Submit
Reports

Overview

overview

Static

static

1

SecuriteIn...93.rtf

windows7-x64

SecuriteIn...93.rtf

windows10-2004-x64

1

Sharing

General

Target

SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtf
Size

442KB
Sample

240620-dxf8wszhll
MD5

5b235feb1c1b78d5277c93bd7b0c2e6e
SHA1

5e9bebe9b3c3b44f03eb12c9484f7e3f5749c687
SHA256

ed8e464b52a9d62400ba9b9e39fa37555e4b0db548487f56a5ea89b7bdcf9648
SHA512

a8e9333c705a1d20b47487455583ce211ba0b497a2a4d120671351a3b4f19eb3346b719b5f5e0ab367fb4ab30b233a73910c5392e26acc014e2ff85509f37b75
SSDEEP

6144:1wAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAlnp/bVl7GR:xpy

Score

10^/10

formbook bi09 execution rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtf

Resource

win7-20240221-en

formbook bi09 execution rat spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtf

Resource

win10v2004-20240508-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bi09

Decoy

fayenterprises.online

anekagaminghk.rest

mina-chan.site

theselfcarefaire.com

progym.app

cherishedtimes.space

gkrp9s016x.icu

api288-s-rtp.online

chikankari.shop

annarosellc.com

lcloud.services

aisuitability.com

sks41.com

7779c1.vip

tunasolution.click

nexbetwin.com

huatless.quest

junroptskdyued.shop

yourwellnesseq.com

zcymc.top

alabamacoastalhomesforsale.com

gemline.online

hydroshinepowerwash.com

brandpromocodes.com

soicauxsmb.com

healthcare-trends-31189.bond

qg65.top

lipinpay.com

nfrcadrvcf.com

xn--72cb0bab2pc6b3j3b.com

cb191.pro

solargridsnorthtampabay.com

bodiedbycoyaaa.com

mh-card50.online

759my.xyz

davidlorenc.com

hub2367.com

vmjpdnls.xyz

parentingsupportgroup.xyz

roofing-services-15001.bond

searchhomeshamiltonmill.com

fhermer.com

emailsports.com

t-sit.com

j1xhon.com

67657.ooo

one-business-steering.com

bt365323.com

clientsun.site

bernzahnarzt.com

evriukpostcom.xyz

plasoi.xyz

fxrxvvpc.shop

ixdye610r.xyz

wvpbuildingservices.com

fabergerobotics.com

winday.xyz

myicecreambb.com

plusmc.site

eudlt417i.xyz

rajabet123-akunvip.xyz

lubaksa.shop

baicb.com

zhaotongshi0870.top

umc.autos

Targets

- Target
  
  SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtf
- Size
  
  442KB
- MD5
  
  5b235feb1c1b78d5277c93bd7b0c2e6e
- SHA1
  
  5e9bebe9b3c3b44f03eb12c9484f7e3f5749c687
- SHA256
  
  ed8e464b52a9d62400ba9b9e39fa37555e4b0db548487f56a5ea89b7bdcf9648
- SHA512
  
  a8e9333c705a1d20b47487455583ce211ba0b497a2a4d120671351a3b4f19eb3346b719b5f5e0ab367fb4ab30b233a73910c5392e26acc014e2ff85509f37b75
- SSDEEP
  
  6144:1wAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAlnp/bVl7GR:xpy
Score

10^/10

formbook bi09 execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookbi09executionratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy