formbook | c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016 | Triage

Submit
Reports

Overview

overview

Static

static

1

c714df9528...6.docx

windows7-x64

c714df9528...6.docx

windows10-2004-x64

Sharing

General

Target

c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016.doc
Size

16KB
Sample

240621-by7q5avdmg
MD5

0ec4a5cbc70d9e63dc8efc2197bc03fa
SHA1

24715d7a38a0e3b3495d6fa7bd1164897fe36257
SHA256

c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016
SHA512

cfa6f5f43e48340e562ff47a8c1c7c73c46e96adf1b9452e252d4e20171a5a0c13175129ee401e217982d7d49f29df045b42ee93045d3e1acc188554c1f71403
SSDEEP

384:AyXKibkWUs8PL8wi4OEwH8TIbE91r2fRwJY7vi9EyPPT:AcK735P3DOqnYJ+OvsEyP7

Score

10^/10

formbook bi09 execution rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016.docx

Resource

win7-20231129-en

formbook bi09 execution rat spyware stealer trojan

windows7-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016.docx

Resource

win10v2004-20240508-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bi09

Decoy

fayenterprises.online

anekagaminghk.rest

mina-chan.site

theselfcarefaire.com

progym.app

cherishedtimes.space

gkrp9s016x.icu

api288-s-rtp.online

chikankari.shop

annarosellc.com

lcloud.services

aisuitability.com

sks41.com

7779c1.vip

tunasolution.click

nexbetwin.com

huatless.quest

junroptskdyued.shop

yourwellnesseq.com

zcymc.top

alabamacoastalhomesforsale.com

gemline.online

hydroshinepowerwash.com

brandpromocodes.com

soicauxsmb.com

healthcare-trends-31189.bond

qg65.top

lipinpay.com

nfrcadrvcf.com

xn--72cb0bab2pc6b3j3b.com

cb191.pro

solargridsnorthtampabay.com

bodiedbycoyaaa.com

mh-card50.online

759my.xyz

davidlorenc.com

hub2367.com

vmjpdnls.xyz

parentingsupportgroup.xyz

roofing-services-15001.bond

searchhomeshamiltonmill.com

fhermer.com

emailsports.com

t-sit.com

j1xhon.com

67657.ooo

one-business-steering.com

bt365323.com

clientsun.site

bernzahnarzt.com

evriukpostcom.xyz

plasoi.xyz

fxrxvvpc.shop

ixdye610r.xyz

wvpbuildingservices.com

fabergerobotics.com

winday.xyz

myicecreambb.com

plusmc.site

eudlt417i.xyz

rajabet123-akunvip.xyz

lubaksa.shop

baicb.com

zhaotongshi0870.top

umc.autos

Targets

- Target
  
  c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016.doc
- Size
  
  16KB
- MD5
  
  0ec4a5cbc70d9e63dc8efc2197bc03fa
- SHA1
  
  24715d7a38a0e3b3495d6fa7bd1164897fe36257
- SHA256
  
  c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016
- SHA512
  
  cfa6f5f43e48340e562ff47a8c1c7c73c46e96adf1b9452e252d4e20171a5a0c13175129ee401e217982d7d49f29df045b42ee93045d3e1acc188554c1f71403
- SSDEEP
  
  384:AyXKibkWUs8PL8wi4OEwH8TIbE91r2fRwJY7vi9EyPPT:AcK735P3DOqnYJ+OvsEyP7
Score

10^/10

formbook bi09 execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Detects executables packed with SmartAssembly
- Formbook payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookbi09executionratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy