formbook | 8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59 | Triage

Submit
Reports

Overview

overview

Static

static

1

birectangular.vbs

windows7-x64

8

birectangular.vbs

windows10-2004-x64

Sharing

General

Target

birectangular.vbs
Size

413KB
Sample

240703-gh1krstgkk
MD5

be6f44242b4afd0e61d775b9ef7946b0
SHA1

80ce71becc7fb1203a43708d7e3fdcad778bb79e
SHA256

8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59
SHA512

e1778509074b9aad5fbc7de0947b887816c6f0308b4a347f181eb0dc92008125f7ef1b55184187d7c9cd99a6dfabb82ef858839cefa1185e1016ba0c3d45ba86
SSDEEP

6144:Ps58yYxqthfv2vF5aa++uQ8YTbBrD0Dz1EhMqcwu+T7wtVuqo41SqW8ZdbU8se0s:GMZcfqHmfRpcLnkd

Score

10^/10

formbook guloader dd01 downloader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

birectangular.vbs

Resource

win7-20240419-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

birectangular.vbs

Resource

win10v2004-20240508-en

formbook guloader dd01 downloader persistence rat spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd01

Decoy

1prostitutki-chelyabinska.com

o2v7c.rest

something-organized.com

etc99.store

perksaccess.contact

consuyt.xyz

dscmodelpapers.com

dana88.lat

dumange.com

pointlomabarreboutique.com

djtmaga.net

dentisttanger.com

17251604.com

dogcatshoponline.com

eppgrandeur.com

jyty3500.com

felixkang.asia

xn--22ck2ci1dl0f7b7h.com

milliesrecruitment.com

www333804000.com

g90luv.vip

glamourverde.store

tzbgs.com

alpha-wealth.club

homestreamztv.com

alignedinvestment.com

ragwash.com

ultrakan.xyz

clearconceptslearning.com

explorewithnor.com

d-b-d.com

saltdrink.com

55957462.com

limbicmindset.com

baldomerotienda.com

yh-9.xyz

easyskinz.xyz

lovefulmindfulness.com

030303-11122222.cloud

sunpulse.store

rescapital.world

payizadlt.com

cindcxyshirts.shop

vnddq.biz

pvywgx235i.top

www708cc.vip

poa88koi.lol

aseasyas1234inc.net

ygudk.biz

tmdirtbikes.com

bqzprvkljhwtmnxy.net

qk09.top

aiatlant.com

zayinvest.com

intermediafx.com

lemonlight.fun

eurovisfilo.com

bluefrazer.com

835000suns.com

checkonly.net

bs2bestat.net

praywithus.space

huafu.site

radleyhealth.com

x6hk8.com

Targets

- Target
  
  birectangular.vbs
- Size
  
  413KB
- MD5
  
  be6f44242b4afd0e61d775b9ef7946b0
- SHA1
  
  80ce71becc7fb1203a43708d7e3fdcad778bb79e
- SHA256
  
  8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59
- SHA512
  
  e1778509074b9aad5fbc7de0947b887816c6f0308b4a347f181eb0dc92008125f7ef1b55184187d7c9cd99a6dfabb82ef858839cefa1185e1016ba0c3d45ba86
- SSDEEP
  
  6144:Ps58yYxqthfv2vF5aa++uQ8YTbBrD0Dz1EhMqcwu+T7wtVuqo41SqW8ZdbU8se0s:GMZcfqHmfRpcLnkd
Score

10^/10

formbook guloader dd01 downloader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

formbookguloaderdd01downloaderpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy