formbook | 4b8f8f705246d7d980911042c089e9a9fb450031d5dde069add5f4a207c32dc4 | Triage

Submit
Reports

Overview

overview

Static

static

1

Quo2024.docx

windows7-x64

Quo2024.docx

windows10-2004-x64

1

Sharing

General

Target

Quo2024.docx
Size

16KB
Sample

240705-qw645s1hpb
MD5

3fbe5c0fdd008937310bc6c9dba29c2d
SHA1

c4fbc0de50070bae54fdabb458260f8d2878a117
SHA256

4b8f8f705246d7d980911042c089e9a9fb450031d5dde069add5f4a207c32dc4
SHA512

427800453db7bc6203a6b9166aa73c5a4a15af2b634eb41bcee65d85cbee212c517df431517f929684ef369a818ef170414455b56a2dbbc4cd656ac2f338b333
SSDEEP

384:gyXhR4pW0s8PL8wi4OEwH8TIbE91r2fRAJYjviedmPkGf:gch8L5P3DOqnYJOqvzdmPka

Score

10^/10

formbook guloader dd01 downloader persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Quo2024.docx

Resource

win7-20240220-en

formbook guloader dd01 downloader persistence rat spyware stealer trojan

windows7-x64

23 signatures

150 seconds

Behavioral task

behavioral2

Sample

Quo2024.docx

Resource

win10v2004-20240704-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd01

Decoy

1prostitutki-chelyabinska.com

o2v7c.rest

something-organized.com

etc99.store

perksaccess.contact

consuyt.xyz

dscmodelpapers.com

dana88.lat

dumange.com

pointlomabarreboutique.com

djtmaga.net

dentisttanger.com

17251604.com

dogcatshoponline.com

eppgrandeur.com

jyty3500.com

felixkang.asia

xn--22ck2ci1dl0f7b7h.com

milliesrecruitment.com

www333804000.com

g90luv.vip

glamourverde.store

tzbgs.com

alpha-wealth.club

homestreamztv.com

alignedinvestment.com

ragwash.com

ultrakan.xyz

clearconceptslearning.com

explorewithnor.com

d-b-d.com

saltdrink.com

55957462.com

limbicmindset.com

baldomerotienda.com

yh-9.xyz

easyskinz.xyz

lovefulmindfulness.com

030303-11122222.cloud

sunpulse.store

rescapital.world

payizadlt.com

cindcxyshirts.shop

vnddq.biz

pvywgx235i.top

www708cc.vip

poa88koi.lol

aseasyas1234inc.net

ygudk.biz

tmdirtbikes.com

bqzprvkljhwtmnxy.net

qk09.top

aiatlant.com

zayinvest.com

intermediafx.com

lemonlight.fun

eurovisfilo.com

bluefrazer.com

835000suns.com

checkonly.net

bs2bestat.net

praywithus.space

huafu.site

radleyhealth.com

x6hk8.com

Targets

- Target
  
  Quo2024.docx
- Size
  
  16KB
- MD5
  
  3fbe5c0fdd008937310bc6c9dba29c2d
- SHA1
  
  c4fbc0de50070bae54fdabb458260f8d2878a117
- SHA256
  
  4b8f8f705246d7d980911042c089e9a9fb450031d5dde069add5f4a207c32dc4
- SHA512
  
  427800453db7bc6203a6b9166aa73c5a4a15af2b634eb41bcee65d85cbee212c517df431517f929684ef369a818ef170414455b56a2dbbc4cd656ac2f338b333
- SSDEEP
  
  384:gyXhR4pW0s8PL8wi4OEwH8TIbE91r2fRAJYjviedmPkGf:gch8L5P3DOqnYJOqvzdmPka
Score

10^/10

formbook guloader dd01 downloader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Abuses OpenXML format to download file from external location
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookguloaderdd01downloaderpersistenceratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy