FormBook campaign

Severity: lowType: campaign

FormBook campaign

AI Analysis

Technical Summary

The FormBook campaign refers to ongoing malicious activities involving the FormBook malware, a well-known information-stealing malware primarily distributed via spearphishing email attachments. FormBook is designed to harvest sensitive information such as credentials, keystrokes, clipboard data, and system information from infected hosts. The campaign is characterized by the use of spearphishing attachments (MITRE ATT&CK techniques T1566.001 and T1193), where targeted users receive emails containing malicious documents or executables that, when opened, deploy the FormBook payload. Although the provided data does not specify affected software versions or particular vulnerabilities exploited, the campaign relies heavily on social engineering to trick users into executing the malware. The campaign is tagged with a low severity rating by the source, and no patches or known exploits in the wild are reported, indicating that the threat primarily exploits user behavior rather than software flaws. The technical details suggest moderate confidence in the analysis (threat level 3, analysis 2), and the campaign is ongoing as of mid-2023. FormBook's capabilities include data exfiltration and potential lateral movement, posing risks to confidentiality and integrity of organizational data.

Potential Impact

For European organizations, the FormBook campaign poses a significant risk to data confidentiality and operational security. Successful infections can lead to credential theft, enabling attackers to access corporate networks, email accounts, and other critical systems. This can result in further compromise, data breaches, intellectual property theft, and potential financial losses. The campaign's reliance on spearphishing means that sectors with high email communication volumes and sensitive data, such as finance, healthcare, and government, are particularly vulnerable. Additionally, the theft of credentials can facilitate subsequent attacks, including ransomware deployment or espionage. While the campaign is rated low severity, the cumulative impact of multiple infections or targeted attacks against high-value European entities could be substantial. The absence of known exploits in software suggests that user awareness and email security are critical defense points.

Mitigation Recommendations

To mitigate the FormBook campaign effectively, European organizations should implement targeted measures beyond generic advice: 1) Enhance email filtering solutions to detect and quarantine spearphishing attachments using advanced heuristics and sandboxing techniques. 2) Conduct regular, scenario-based phishing awareness training focused on recognizing spearphishing attachments and social engineering tactics. 3) Enforce strict attachment handling policies, such as blocking or sandboxing executable and macro-enabled files from untrusted sources. 4) Deploy endpoint detection and response (EDR) solutions capable of identifying FormBook behavioral indicators, including unusual credential access or data exfiltration patterns. 5) Implement multi-factor authentication (MFA) across all critical systems to reduce the impact of credential theft. 6) Monitor network traffic for anomalies indicative of data exfiltration or command-and-control communications associated with FormBook. 7) Maintain up-to-date threat intelligence feeds to adapt defenses promptly as the campaign evolves.

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland

Indicators of Compromise

file: 34.102.136.180
hash: 80
file: 162.241.252.197
hash: 80
file: 3.64.163.50
hash: 80
file: 38.54.177.114
hash: 80
file: 185.107.56.209
hash: 80
file: 34.117.168.233
hash: 80
file: 54.144.38.219
hash: 80
file: 208.91.197.27
hash: 80
file: 207.60.53.40
hash: 80
file: 66.235.200.146
hash: 80
file: 188.114.97.13
hash: 80
url: http://www.doordelivery.life/km37/
url: http://www.busybody.app/km37/
url: http://www.damcostafreda12.cat/km37/
url: http://www.blueridgebedracks.com/km37/
url: http://www.hilltopspice.com/km37/
url: http://www.addonysfitwear.com/km37/
url: http://www.bestridelabs.com/km37/
url: http://www.huashi366.com/km37/
url: http://www.1wihug.top/km37/
url: http://www.66563.se/km37/
url: http://www.96mvipmy.com/km37/
url: http://www.lab1207.com/km37/
url: http://www.80b80.app/km37/
url: http://www.graphicstudio53.com/km37/
url: http://www.xn--etherealsoires-mkb.com/km37/
url: http://www.bestrosetoy.com/km37/
url: http://www.discounthub.xyz/km37/
url: http://www.addmusthaveoppprofit.online/km37/
url: http://www.abovegame.biz/km37/
url: http://www.getv3apparel.com/km37/
url: http://www.designroom.app/km37/
url: http://www.apatriotspeaks.com/km37/
url: http://www.ayq6cn.shop/km37/
url: http://www.androidrehber.com/km37/
url: http://www.iratewonderhandstore.africa/km37/
url: http://www.chateaufinewines.com/km37/
url: http://www.fantiplumbing.com/km37/
url: http://www.furadventure.com/km37/
url: http://www.jogo.africa/km37/
url: http://www.dashfashion.store/km37/
url: http://www.family-doctor-54927.com/km37/
url: http://www.66y143.xyz/km37/
url: http://www.bokenco.com/km37/
url: http://www.lermansalesmarketing.com/km37/
url: http://www.mybunnylawn.com/km37/
url: http://www.innerlovefest.com/km37/
url: http://www.jiayi-x.com/km37/
url: http://www.azart-player.ru/km37/
url: http://www.motorsolutionswithmakro.co.uk/km37/
url: http://www.demonstrate-suppress.net/km37/
url: http://www.jaafil.com/km37/
url: http://www.coinnspoo.com/km37/
url: http://www.micdavevtuportal.africa/km37/
url: http://www.austmactrading.com/km37/
url: http://www.bxsh.cloud/km37/
url: http://www.ourfturehealth.org.uk/km37/
url: http://www.3dgamesource.com/km37/
url: http://www.capturecreativeproductions.com/km37/
url: http://www.vestby.net/km37/
url: http://www.uyruio.xyz/km37/
url: http://www.calandrainmanlaw.com/km37/
url: http://www.horsesnarrowboatsrabbits.com/km37/
url: http://www.moosemunch.boo/km37/
url: http://www.famousleaked.site/km37/
url: http://www.betonyventures.com/km37/
url: http://www.68i81.top/km37/
url: http://www.katskateringllc.com/km37/
url: http://www.wemakebelieve.africa/km37/
url: http://www.hissy.shop/km37/
url: http://www.eatit.click/km37/
url: http://www.awesomeessential.com/km37/
url: http://www.hbcumicbrophone.com/km37/
url: http://www.calliebarrows.online/km37/
url: http://www.brippa.store/km37/
url: http://www.chopsbyzarah.com/km37/
domain: uyruio.xyz
domain: busybody.app
domain: damcostafreda12.cat
domain: blueridgebedracks.com
domain: hilltopspice.com
domain: addonysfitwear.com
domain: bestridelabs.com
domain: huashi366.com
domain: 1wihug.top
domain: 66563.se
domain: 96mvipmy.com
domain: lab1207.com
domain: 80b80.app
domain: graphicstudio53.com
domain: xn--etherealsoires-mkb.com
domain: bestrosetoy.com
domain: discounthub.xyz
domain: addmusthaveoppprofit.online
domain: abovegame.biz
domain: getv3apparel.com
domain: designroom.app
domain: apatriotspeaks.com
domain: ayq6cn.shop
domain: androidrehber.com
domain: iratewonderhandstore.africa
domain: chateaufinewines.com
domain: fantiplumbing.com
domain: furadventure.com
domain: jogo.africa
domain: dashfashion.store
domain: family-doctor-54927.com
domain: 66y143.xyz
domain: bokenco.com
domain: lermansalesmarketing.com
domain: mybunnylawn.com
domain: innerlovefest.com
domain: jiayi-x.com
domain: azart-player.ru
domain: motorsolutionswithmakro.co.uk
domain: demonstrate-suppress.net
domain: jaafil.com
domain: coinnspoo.com
domain: micdavevtuportal.africa
domain: austmactrading.com
domain: bxsh.cloud
domain: ourfturehealth.org.uk
domain: 3dgamesource.com
domain: capturecreativeproductions.com
domain: vestby.net
domain: calandrainmanlaw.com
domain: horsesnarrowboatsrabbits.com
domain: moosemunch.boo
domain: famousleaked.site
domain: betonyventures.com
domain: 68i81.top
domain: katskateringllc.com
domain: wemakebelieve.africa
domain: hissy.shop
domain: eatit.click
domain: awesomeessential.com
domain: hbcumicbrophone.com
domain: calliebarrows.online
domain: brippa.store
domain: chopsbyzarah.com
malware-sample: SV00388388323788.arj|f515d29ebd892a5f8b19e571a75a6d34
file: SV00388388323788.arj
hash: f515d29ebd892a5f8b19e571a75a6d34
hash: c514799ffdc38d48b7e90b8b6a324c354d1fd2a2
hash: 5ba3876088c3578f7d369253d0c27454794282e420a106188fbee7e060a3cea1
size-in-bytes: 703515
file: 84470338a1b460b107ab8b8642c04bf12fe930e224b79dcb0dad5ac713fc7b85
size-in-bytes: 184832
float: 7.4132217734106
hash: a9e30d6f94ac7d32de3e0d46bea63795
hash: a90acad4b9cd1d762c758721b0913c3e130d0e3c
hash: 84470338a1b460b107ab8b8642c04bf12fe930e224b79dcb0dad5ac713fc7b85
hash: b68ba759b7f42362afd514aab8c2eeeb57e395a9e24b0faa3e2c1411bf6149f86722731d470390e3dce35e4183c9e283fd6b8c04792c1df46d4b0d0b50e0c2f8
malware-sample: 84470338a1b460b107ab8b8642c04bf12fe930e224b79dcb0dad5ac713fc7b85|a9e30d6f94ac7d32de3e0d46bea63795
mime-type: data
ssdeep: 3072:NHJRT+khPd3g8gUp3oudAgrDq4AKV9FUzmlYKGEYuCraA1vwLZ:jxVoOTXq45V92vKjYuhgvo
text: { "keys": [ "7f1cf8a24c450f66b4d58bff70a4f51a739c6db4", "e02377d3a2c0370ad8cd43957487b0bfe3b3fd9e", "090f3f94d775d9a351558dca5130a9af3beb4f7b", "fb434171528eaf7d6fb502701a6fe4d9f0f47ecd", "925f0e6df989b15fcf430ee98f2e0fdc12c909c9", "413797622f6a40d9b170cd9a77480ccb5d6b61cc", "61f0ddfbe29c8e01c2672f5f2be3d46480f89655" ], "type": "formbook", "urls": [ { "url": "http://www.doordelivery.life/km37/" }, { "url": "http://www.busybody.app/km37/" }, { "url": "http://www.damcostafreda12.cat/km37/" }, { "url": "http://www.blueridgebedracks.com/km37/" }, { "url": "http://www.hilltopspice.com/km37/" }, { "url": "http://www.addonysfitwear.com/km37/" }, { "url": "http://www.bestridelabs.com/km37/" }, { "url": "http://www.huashi366.com/km37/" }, { "url": "http://www.1wihug.top/km37/" }, { "url": "http://www.66563.se/km37/" }, { "url": "http://www.96mvipmy.com/km37/" }, { "url": "http://www.lab1207.com/km37/" }, { "url": "http://www.80b80.app/km37/" }, { "url": "http://www.graphicstudio53.com/km37/" }, { "url": "http://www.xn--etherealsoires-mkb.com/km37/" }, { "url": "http://www.bestrosetoy.com/km37/" }, { "url": "http://www.discounthub.xyz/km37/" }, { "url": "http://www.addmusthaveoppprofit.online/km37/" }, { "url": "http://www.abovegame.biz/km37/" }, { "url": "http://www.getv3apparel.com/km37/" }, { "url": "http://www.designroom.app/km37/" }, { "url": "http://www.apatriotspeaks.com/km37/" }, { "url": "http://www.ayq6cn.shop/km37/" }, { "url": "http://www.androidrehber.com/km37/" }, { "url": "http://www.iratewonderhandstore.africa/km37/" }, { "url": "http://www.chateaufinewines.com/km37/" }, { "url": "http://www.fantiplumbing.com/km37/" }, { "url": "http://www.furadventure.com/km37/" }, { "url": "http://www.jogo.africa/km37/" }, { "url": "http://www.dashfashion.store/km37/" }, { "url": "http://www.family-doctor-54927.com/km37/" }, { "url": "http://www.66y143.xyz/km37/" }, { "url": "http://www.bokenco.com/km37/" }, { "url": "http://www.lermansalesmarketing.com/km37/" }, { "url": "http://www.mybunnylawn.com/km37/" }, { "url": "http://www.innerlovefest.com/km37/" }, { "url": "http://www.jiayi-x.com/km37/" }, { "url": "http://www.azart-player.ru/km37/" }, { "url": "http://www.motorsolutionswithmakro.co.uk/km37/" }, { "url": "http://www.demonstrate-suppress.net/km37/" }, { "url": "http://www.jaafil.com/km37/" }, { "url": "http://www.coinnspoo.com/km37/" }, { "url": "http://www.micdavevtuportal.africa/km37/" }, { "url": "http://www.austmactrading.com/km37/" }, { "url": "http://www.bxsh.cloud/km37/" }, { "url": "http://www.ourfturehealth.org.uk/km37/" }, { "url": "http://www.3dgamesource.com/km37/" }, { "url": "http://www.capturecreativeproductions.com/km37/" }, { "url": "http://www.vestby.net/km37/" }, { "url": "http://www.uyruio.xyz/km37/" }, { "url": "http://www.calandrainmanlaw.com/km37/" }, { "url": "http://www.horsesnarrowboatsrabbits.com/km37/" }, { "url": "http://www.moosemunch.boo/km37/" }, { "url": "http://www.famousleaked.site/km37/" }, { "url": "http://www.betonyventures.com/km37/" }, { "url": "http://www.68i81.top/km37/" }, { "url": "http://www.katskateringllc.com/km37/" }, { "url": "http://www.wemakebelieve.africa/km37/" }, { "url": "http://www.hissy.shop/km37/" }, { "url": "http://www.eatit.click/km37/" }, { "url": "http://www.awesomeessential.com/km37/" }, { "url": "http://www.hbcumicbrophone.com/km37/" }, { "url": "http://www.calliebarrows.online/km37/" }, { "url": "http://www.brippa.store/km37/" }, { "url": "http://www.chopsbyzarah.com/km37/" } ], "c2_url": "http://www.doordelivery.life/km37/", "domains": [ { "domain": "uyruio.xyz" } ], "version": "4.1", "signature": "FBNG", "real_c2_idxs": [ 126 ], "decoy_domains": [ { "domain": "busybody.app" }, { "domain": "damcostafreda12.cat" }, { "domain": "blueridgebedracks.com" }, { "domain": "hilltopspice.com" }, { "domain": "addonysfitwear.com" }, { "domain": "bestridelabs.com" }, { "domain": "huashi366.com" }, { "domain": "1wihug.top" }, { "domain": "66563.se" }, { "domain": "96mvipmy.com" }, { "domain": "lab1207.com" }, { "domain": "80b80.app" }, { "domain": "graphicstudio53.com" }, { "domain": "xn--etherealsoires-mkb.com" }, { "domain": "bestrosetoy.com" }, { "domain": "discounthub.xyz" }, { "domain": "addmusthaveoppprofit.online" }, { "domain": "abovegame.biz" }, { "domain": "getv3apparel.com" }, { "domain": "designroom.app" }, { "domain": "apatriotspeaks.com" }, { "domain": "ayq6cn.shop" }, { "domain": "androidrehber.com" }, { "domain": "iratewonderhandstore.africa" }, { "domain": "chateaufinewines.com" }, { "domain": "fantiplumbing.com" }, { "domain": "furadventure.com" }, { "domain": "jogo.africa" }, { "domain": "dashfashion.store" }, { "domain": "family-doctor-54927.com" }, { "domain": "66y143.xyz" }, { "domain": "bokenco.com" }, { "domain": "lermansalesmarketing.com" }, { "domain": "mybunnylawn.com" }, { "domain": "innerlovefest.com" }, { "domain": "jiayi-x.com" }, { "domain": "azart-player.ru" }, { "domain": "motorsolutionswithmakro.co.uk" }, { "domain": "demonstrate-suppress.net" }, { "domain": "jaafil.com" }, { "domain": "coinnspoo.com" }, { "domain": "micdavevtuportal.africa" }, { "domain": "austmactrading.com" }, { "domain": "bxsh.cloud" }, { "domain": "ourfturehealth.org.uk" }, { "domain": "3dgamesource.com" }, { "domain": "capturecreativeproductions.com" }, { "domain": "vestby.net" }, { "domain": "uyruio.xyz" }, { "domain": "calandrainmanlaw.com" }, { "domain": "horsesnarrowboatsrabbits.com" }, { "domain": "moosemunch.boo" }, { "domain": "famousleaked.site" }, { "domain": "betonyventures.com" }, { "domain": "68i81.top" }, { "domain": "katskateringllc.com" }, { "domain": "wemakebelieve.africa" }, { "domain": "hissy.shop" }, { "domain": "eatit.click" }, { "domain": "awesomeessential.com" }, { "domain": "hbcumicbrophone.com" }, { "domain": "calliebarrows.online" }, { "domain": "brippa.store" }, { "domain": "chopsbyzarah.com" } ] }
text: JSON

FormBook campaign

Severity: low

Type: campaign

FormBook campaign

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland

Indicators of Compromise

file: 34.102.136.180
hash: 80
file: 162.241.252.197
hash: 80
file: 3.64.163.50
hash: 80
file: 38.54.177.114
hash: 80
file: 185.107.56.209
hash: 80
file: 34.117.168.233
hash: 80
file: 54.144.38.219
hash: 80
file: 208.91.197.27
hash: 80
file: 207.60.53.40
hash: 80
file: 66.235.200.146
hash: 80
file: 188.114.97.13
hash: 80
url: http://www.doordelivery.life/km37/
url: http://www.busybody.app/km37/
url: http://www.damcostafreda12.cat/km37/
url: http://www.blueridgebedracks.com/km37/
url: http://www.hilltopspice.com/km37/
url: http://www.addonysfitwear.com/km37/
url: http://www.bestridelabs.com/km37/
url: http://www.huashi366.com/km37/
url: http://www.1wihug.top/km37/
url: http://www.66563.se/km37/
url: http://www.96mvipmy.com/km37/
url: http://www.lab1207.com/km37/
url: http://www.80b80.app/km37/
url: http://www.graphicstudio53.com/km37/
url: http://www.xn--etherealsoires-mkb.com/km37/
url: http://www.bestrosetoy.com/km37/
url: http://www.discounthub.xyz/km37/
url: http://www.addmusthaveoppprofit.online/km37/
url: http://www.abovegame.biz/km37/
url: http://www.getv3apparel.com/km37/
url: http://www.designroom.app/km37/
url: http://www.apatriotspeaks.com/km37/
url: http://www.ayq6cn.shop/km37/
url: http://www.androidrehber.com/km37/
url: http://www.iratewonderhandstore.africa/km37/
url: http://www.chateaufinewines.com/km37/
url: http://www.fantiplumbing.com/km37/
url: http://www.furadventure.com/km37/
url: http://www.jogo.africa/km37/
url: http://www.dashfashion.store/km37/
url: http://www.family-doctor-54927.com/km37/
url: http://www.66y143.xyz/km37/
url: http://www.bokenco.com/km37/
url: http://www.lermansalesmarketing.com/km37/
url: http://www.mybunnylawn.com/km37/
url: http://www.innerlovefest.com/km37/
url: http://www.jiayi-x.com/km37/
url: http://www.azart-player.ru/km37/
url: http://www.motorsolutionswithmakro.co.uk/km37/
url: http://www.demonstrate-suppress.net/km37/
url: http://www.jaafil.com/km37/
url: http://www.coinnspoo.com/km37/
url: http://www.micdavevtuportal.africa/km37/
url: http://www.austmactrading.com/km37/
url: http://www.bxsh.cloud/km37/
url: http://www.ourfturehealth.org.uk/km37/
url: http://www.3dgamesource.com/km37/
url: http://www.capturecreativeproductions.com/km37/
url: http://www.vestby.net/km37/
url: http://www.uyruio.xyz/km37/
url: http://www.calandrainmanlaw.com/km37/
url: http://www.horsesnarrowboatsrabbits.com/km37/
url: http://www.moosemunch.boo/km37/
url: http://www.famousleaked.site/km37/
url: http://www.betonyventures.com/km37/
url: http://www.68i81.top/km37/
url: http://www.katskateringllc.com/km37/
url: http://www.wemakebelieve.africa/km37/
url: http://www.hissy.shop/km37/
url: http://www.eatit.click/km37/
url: http://www.awesomeessential.com/km37/
url: http://www.hbcumicbrophone.com/km37/
url: http://www.calliebarrows.online/km37/
url: http://www.brippa.store/km37/
url: http://www.chopsbyzarah.com/km37/
domain: uyruio.xyz
domain: busybody.app
domain: damcostafreda12.cat
domain: blueridgebedracks.com
domain: hilltopspice.com
domain: addonysfitwear.com
domain: bestridelabs.com
domain: huashi366.com
domain: 1wihug.top
domain: 66563.se
domain: 96mvipmy.com
domain: lab1207.com
domain: 80b80.app
domain: graphicstudio53.com
domain: xn--etherealsoires-mkb.com
domain: bestrosetoy.com
domain: discounthub.xyz
domain: addmusthaveoppprofit.online
domain: abovegame.biz
domain: getv3apparel.com
domain: designroom.app
domain: apatriotspeaks.com
domain: ayq6cn.shop
domain: androidrehber.com
domain: iratewonderhandstore.africa
domain: chateaufinewines.com
domain: fantiplumbing.com
domain: furadventure.com
domain: jogo.africa
domain: dashfashion.store
domain: family-doctor-54927.com
domain: 66y143.xyz
domain: bokenco.com
domain: lermansalesmarketing.com
domain: mybunnylawn.com
domain: innerlovefest.com
domain: jiayi-x.com
domain: azart-player.ru
domain: motorsolutionswithmakro.co.uk
domain: demonstrate-suppress.net
domain: jaafil.com
domain: coinnspoo.com
domain: micdavevtuportal.africa
domain: austmactrading.com
domain: bxsh.cloud
domain: ourfturehealth.org.uk
domain: 3dgamesource.com
domain: capturecreativeproductions.com
domain: vestby.net
domain: calandrainmanlaw.com
domain: horsesnarrowboatsrabbits.com
domain: moosemunch.boo
domain: famousleaked.site
domain: betonyventures.com
domain: 68i81.top
domain: katskateringllc.com
domain: wemakebelieve.africa
domain: hissy.shop
domain: eatit.click
domain: awesomeessential.com
domain: hbcumicbrophone.com
domain: calliebarrows.online
domain: brippa.store
domain: chopsbyzarah.com
malware-sample: SV00388388323788.arj|f515d29ebd892a5f8b19e571a75a6d34
file: SV00388388323788.arj
hash: f515d29ebd892a5f8b19e571a75a6d34
hash: c514799ffdc38d48b7e90b8b6a324c354d1fd2a2
hash: 5ba3876088c3578f7d369253d0c27454794282e420a106188fbee7e060a3cea1
size-in-bytes: 703515
file: 84470338a1b460b107ab8b8642c04bf12fe930e224b79dcb0dad5ac713fc7b85
size-in-bytes: 184832
float: 7.4132217734106
hash: a9e30d6f94ac7d32de3e0d46bea63795
hash: a90acad4b9cd1d762c758721b0913c3e130d0e3c
hash: 84470338a1b460b107ab8b8642c04bf12fe930e224b79dcb0dad5ac713fc7b85
hash: b68ba759b7f42362afd514aab8c2eeeb57e395a9e24b0faa3e2c1411bf6149f86722731d470390e3dce35e4183c9e283fd6b8c04792c1df46d4b0d0b50e0c2f8
malware-sample: 84470338a1b460b107ab8b8642c04bf12fe930e224b79dcb0dad5ac713fc7b85|a9e30d6f94ac7d32de3e0d46bea63795
mime-type: data
ssdeep: 3072:NHJRT+khPd3g8gUp3oudAgrDq4AKV9FUzmlYKGEYuCraA1vwLZ:jxVoOTXq45V92vKjYuhgvo
text: { "keys": [ "7f1cf8a24c450f66b4d58bff70a4f51a739c6db4", "e02377d3a2c0370ad8cd43957487b0bfe3b3fd9e", "090f3f94d775d9a351558dca5130a9af3beb4f7b", "fb434171528eaf7d6fb502701a6fe4d9f0f47ecd", "925f0e6df989b15fcf430ee98f2e0fdc12c909c9", "413797622f6a40d9b170cd9a77480ccb5d6b61cc", "61f0ddfbe29c8e01c2672f5f2be3d46480f89655" ], "type": "formbook", "urls": [ { "url": "http://www.doordelivery.life/km37/" }, { "url": "http://www.busybody.app/km37/" }, { "url": "http://www.damcostafreda12.cat/km37/" }, { "url": "http://www.blueridgebedracks.com/km37/" }, { "url": "http://www.hilltopspice.com/km37/" }, { "url": "http://www.addonysfitwear.com/km37/" }, { "url": "http://www.bestridelabs.com/km37/" }, { "url": "http://www.huashi366.com/km37/" }, { "url": "http://www.1wihug.top/km37/" }, { "url": "http://www.66563.se/km37/" }, { "url": "http://www.96mvipmy.com/km37/" }, { "url": "http://www.lab1207.com/km37/" }, { "url": "http://www.80b80.app/km37/" }, { "url": "http://www.graphicstudio53.com/km37/" }, { "url": "http://www.xn--etherealsoires-mkb.com/km37/" }, { "url": "http://www.bestrosetoy.com/km37/" }, { "url": "http://www.discounthub.xyz/km37/" }, { "url": "http://www.addmusthaveoppprofit.online/km37/" }, { "url": "http://www.abovegame.biz/km37/" }, { "url": "http://www.getv3apparel.com/km37/" }, { "url": "http://www.designroom.app/km37/" }, { "url": "http://www.apatriotspeaks.com/km37/" }, { "url": "http://www.ayq6cn.shop/km37/" }, { "url": "http://www.androidrehber.com/km37/" }, { "url": "http://www.iratewonderhandstore.africa/km37/" }, { "url": "http://www.chateaufinewines.com/km37/" }, { "url": "http://www.fantiplumbing.com/km37/" }, { "url": "http://www.furadventure.com/km37/" }, { "url": "http://www.jogo.africa/km37/" }, { "url": "http://www.dashfashion.store/km37/" }, { "url": "http://www.family-doctor-54927.com/km37/" }, { "url": "http://www.66y143.xyz/km37/" }, { "url": "http://www.bokenco.com/km37/" }, { "url": "http://www.lermansalesmarketing.com/km37/" }, { "url": "http://www.mybunnylawn.com/km37/" }, { "url": "http://www.innerlovefest.com/km37/" }, { "url": "http://www.jiayi-x.com/km37/" }, { "url": "http://www.azart-player.ru/km37/" }, { "url": "http://www.motorsolutionswithmakro.co.uk/km37/" }, { "url": "http://www.demonstrate-suppress.net/km37/" }, { "url": "http://www.jaafil.com/km37/" }, { "url": "http://www.coinnspoo.com/km37/" }, { "url": "http://www.micdavevtuportal.africa/km37/" }, { "url": "http://www.austmactrading.com/km37/" }, { "url": "http://www.bxsh.cloud/km37/" }, { "url": "http://www.ourfturehealth.org.uk/km37/" }, { "url": "http://www.3dgamesource.com/km37/" }, { "url": "http://www.capturecreativeproductions.com/km37/" }, { "url": "http://www.vestby.net/km37/" }, { "url": "http://www.uyruio.xyz/km37/" }, { "url": "http://www.calandrainmanlaw.com/km37/" }, { "url": "http://www.horsesnarrowboatsrabbits.com/km37/" }, { "url": "http://www.moosemunch.boo/km37/" }, { "url": "http://www.famousleaked.site/km37/" }, { "url": "http://www.betonyventures.com/km37/" }, { "url": "http://www.68i81.top/km37/" }, { "url": "http://www.katskateringllc.com/km37/" }, { "url": "http://www.wemakebelieve.africa/km37/" }, { "url": "http://www.hissy.shop/km37/" }, { "url": "http://www.eatit.click/km37/" }, { "url": "http://www.awesomeessential.com/km37/" }, { "url": "http://www.hbcumicbrophone.com/km37/" }, { "url": "http://www.calliebarrows.online/km37/" }, { "url": "http://www.brippa.store/km37/" }, { "url": "http://www.chopsbyzarah.com/km37/" } ], "c2_url": "http://www.doordelivery.life/km37/", "domains": [ { "domain": "uyruio.xyz" } ], "version": "4.1", "signature": "FBNG", "real_c2_idxs": [ 126 ], "decoy_domains": [ { "domain": "busybody.app" }, { "domain": "damcostafreda12.cat" }, { "domain": "blueridgebedracks.com" }, { "domain": "hilltopspice.com" }, { "domain": "addonysfitwear.com" }, { "domain": "bestridelabs.com" }, { "domain": "huashi366.com" }, { "domain": "1wihug.top" }, { "domain": "66563.se" }, { "domain": "96mvipmy.com" }, { "domain": "lab1207.com" }, { "domain": "80b80.app" }, { "domain": "graphicstudio53.com" }, { "domain": "xn--etherealsoires-mkb.com" }, { "domain": "bestrosetoy.com" }, { "domain": "discounthub.xyz" }, { "domain": "addmusthaveoppprofit.online" }, { "domain": "abovegame.biz" }, { "domain": "getv3apparel.com" }, { "domain": "designroom.app" }, { "domain": "apatriotspeaks.com" }, { "domain": "ayq6cn.shop" }, { "domain": "androidrehber.com" }, { "domain": "iratewonderhandstore.africa" }, { "domain": "chateaufinewines.com" }, { "domain": "fantiplumbing.com" }, { "domain": "furadventure.com" }, { "domain": "jogo.africa" }, { "domain": "dashfashion.store" }, { "domain": "family-doctor-54927.com" }, { "domain": "66y143.xyz" }, { "domain": "bokenco.com" }, { "domain": "lermansalesmarketing.com" }, { "domain": "mybunnylawn.com" }, { "domain": "innerlovefest.com" }, { "domain": "jiayi-x.com" }, { "domain": "azart-player.ru" }, { "domain": "motorsolutionswithmakro.co.uk" }, { "domain": "demonstrate-suppress.net" }, { "domain": "jaafil.com" }, { "domain": "coinnspoo.com" }, { "domain": "micdavevtuportal.africa" }, { "domain": "austmactrading.com" }, { "domain": "bxsh.cloud" }, { "domain": "ourfturehealth.org.uk" }, { "domain": "3dgamesource.com" }, { "domain": "capturecreativeproductions.com" }, { "domain": "vestby.net" }, { "domain": "uyruio.xyz" }, { "domain": "calandrainmanlaw.com" }, { "domain": "horsesnarrowboatsrabbits.com" }, { "domain": "moosemunch.boo" }, { "domain": "famousleaked.site" }, { "domain": "betonyventures.com" }, { "domain": "68i81.top" }, { "domain": "katskateringllc.com" }, { "domain": "wemakebelieve.africa" }, { "domain": "hissy.shop" }, { "domain": "eatit.click" }, { "domain": "awesomeessential.com" }, { "domain": "hbcumicbrophone.com" }, { "domain": "calliebarrows.online" }, { "domain": "brippa.store" }, { "domain": "chopsbyzarah.com" } ] }
text: JSON

Source: CIRCL

Published: Fri Jun 16 2023

FormBook campaign

Low

Campaigntype:osint osint:lifetime="perpetual"osint:certainty="50"tlp:white tlp:clear misp-galaxy:tool="formbook"misp-galaxy:mitre-attack-pattern="spearphishing attachment - t1566.001"misp-galaxy:mitre-attack-pattern="spearphishing attachment - t1193"

Published: Fri Jun 16 2023 (06/16/2023, 00:00:00 UTC)

Source: CIRCL

Vendor/Project: type

Product: osint

Description

FormBook campaign

AI-Powered Analysis

AILast updated: 07/09/2025, 00:24:49 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Get Pro

Pro Feature

For access to advanced analysis and higher rate limits, contact root@offseq.com

Technical Details

Threat Level: 3
Analysis: 2
Uuid: f45fe125-7f3f-4335-bf74-5ab61eb5b645
Original Timestamp: 1686914589

Indicators of Compromise

File

Value	Description	Copy
file34.102.136.180	On port 80
file162.241.252.197	On port 80
file3.64.163.50	On port 80
file38.54.177.114	On port 80
file185.107.56.209	On port 80
file34.117.168.233	On port 80
file54.144.38.219	On port 80
file208.91.197.27	On port 80
file207.60.53.40	On port 80
file66.235.200.146	On port 80
file188.114.97.13	On port 80
fileSV00388388323788.arj	—
file84470338a1b460b107ab8b8642c04bf12fe930e224b79dcb0dad5ac713fc7b85	—

Hash

Value	Description	Copy
hash80	On port 80
hash80	On port 80
hash80	On port 80
hash80	On port 80
hash80	On port 80
hash80	On port 80
hash80	On port 80
hash80	On port 80
hash80	On port 80
hash80	On port 80
hash80	On port 80
hashf515d29ebd892a5f8b19e571a75a6d34	—
hashc514799ffdc38d48b7e90b8b6a324c354d1fd2a2	—
hash5ba3876088c3578f7d369253d0c27454794282e420a106188fbee7e060a3cea1	—
hasha9e30d6f94ac7d32de3e0d46bea63795	—
hasha90acad4b9cd1d762c758721b0913c3e130d0e3c	—
hash84470338a1b460b107ab8b8642c04bf12fe930e224b79dcb0dad5ac713fc7b85	—
hashb68ba759b7f42362afd514aab8c2eeeb57e395a9e24b0faa3e2c1411bf6149f86722731d470390e3dce35e4183c9e283fd6b8c04792c1df46d4b0d0b50e0c2f8	—

Url

Value	Description	Copy
urlhttp://www.doordelivery.life/km37/	—
urlhttp://www.busybody.app/km37/	—
urlhttp://www.damcostafreda12.cat/km37/	—
urlhttp://www.blueridgebedracks.com/km37/	—
urlhttp://www.hilltopspice.com/km37/	—
urlhttp://www.addonysfitwear.com/km37/	—
urlhttp://www.bestridelabs.com/km37/	—
urlhttp://www.huashi366.com/km37/	—
urlhttp://www.1wihug.top/km37/	—
urlhttp://www.66563.se/km37/	—
urlhttp://www.96mvipmy.com/km37/	—
urlhttp://www.lab1207.com/km37/	—
urlhttp://www.80b80.app/km37/	—
urlhttp://www.graphicstudio53.com/km37/	—
urlhttp://www.xn--etherealsoires-mkb.com/km37/	—
urlhttp://www.bestrosetoy.com/km37/	—
urlhttp://www.discounthub.xyz/km37/	—
urlhttp://www.addmusthaveoppprofit.online/km37/	—
urlhttp://www.abovegame.biz/km37/	—
urlhttp://www.getv3apparel.com/km37/	—
urlhttp://www.designroom.app/km37/	—
urlhttp://www.apatriotspeaks.com/km37/	—
urlhttp://www.ayq6cn.shop/km37/	—
urlhttp://www.androidrehber.com/km37/	—
urlhttp://www.iratewonderhandstore.africa/km37/	—
urlhttp://www.chateaufinewines.com/km37/	—
urlhttp://www.fantiplumbing.com/km37/	—
urlhttp://www.furadventure.com/km37/	—
urlhttp://www.jogo.africa/km37/	—
urlhttp://www.dashfashion.store/km37/	—
urlhttp://www.family-doctor-54927.com/km37/	—
urlhttp://www.66y143.xyz/km37/	—
urlhttp://www.bokenco.com/km37/	—
urlhttp://www.lermansalesmarketing.com/km37/	—
urlhttp://www.mybunnylawn.com/km37/	—
urlhttp://www.innerlovefest.com/km37/	—
urlhttp://www.jiayi-x.com/km37/	—
urlhttp://www.azart-player.ru/km37/	—
urlhttp://www.motorsolutionswithmakro.co.uk/km37/	—
urlhttp://www.demonstrate-suppress.net/km37/	—
urlhttp://www.jaafil.com/km37/	—
urlhttp://www.coinnspoo.com/km37/	—
urlhttp://www.micdavevtuportal.africa/km37/	—
urlhttp://www.austmactrading.com/km37/	—
urlhttp://www.bxsh.cloud/km37/	—
urlhttp://www.ourfturehealth.org.uk/km37/	—
urlhttp://www.3dgamesource.com/km37/	—
urlhttp://www.capturecreativeproductions.com/km37/	—
urlhttp://www.vestby.net/km37/	—
urlhttp://www.uyruio.xyz/km37/	—
urlhttp://www.calandrainmanlaw.com/km37/	—
urlhttp://www.horsesnarrowboatsrabbits.com/km37/	—
urlhttp://www.moosemunch.boo/km37/	—
urlhttp://www.famousleaked.site/km37/	—
urlhttp://www.betonyventures.com/km37/	—
urlhttp://www.68i81.top/km37/	—
urlhttp://www.katskateringllc.com/km37/	—
urlhttp://www.wemakebelieve.africa/km37/	—
urlhttp://www.hissy.shop/km37/	—
urlhttp://www.eatit.click/km37/	—
urlhttp://www.awesomeessential.com/km37/	—
urlhttp://www.hbcumicbrophone.com/km37/	—
urlhttp://www.calliebarrows.online/km37/	—
urlhttp://www.brippa.store/km37/	—
urlhttp://www.chopsbyzarah.com/km37/	—

Domain

Value	Description	Copy
domainuyruio.xyz	—
domainbusybody.app	—
domaindamcostafreda12.cat	—
domainblueridgebedracks.com	—
domainhilltopspice.com	—
domainaddonysfitwear.com	—
domainbestridelabs.com	—
domainhuashi366.com	—
domain1wihug.top	—
domain66563.se	—
domain96mvipmy.com	—
domainlab1207.com	—
domain80b80.app	—
domaingraphicstudio53.com	—
domainxn--etherealsoires-mkb.com	—
domainbestrosetoy.com	—
domaindiscounthub.xyz	—
domainaddmusthaveoppprofit.online	—
domainabovegame.biz	—
domaingetv3apparel.com	—
domaindesignroom.app	—
domainapatriotspeaks.com	—
domainayq6cn.shop	—
domainandroidrehber.com	—
domainiratewonderhandstore.africa	—
domainchateaufinewines.com	—
domainfantiplumbing.com	—
domainfuradventure.com	—
domainjogo.africa	—
domaindashfashion.store	—
domainfamily-doctor-54927.com	—
domain66y143.xyz	—
domainbokenco.com	—
domainlermansalesmarketing.com	—
domainmybunnylawn.com	—
domaininnerlovefest.com	—
domainjiayi-x.com	—
domainazart-player.ru	—
domainmotorsolutionswithmakro.co.uk	—
domaindemonstrate-suppress.net	—
domainjaafil.com	—
domaincoinnspoo.com	—
domainmicdavevtuportal.africa	—
domainaustmactrading.com	—
domainbxsh.cloud	—
domainourfturehealth.org.uk	—
domain3dgamesource.com	—
domaincapturecreativeproductions.com	—
domainvestby.net	—
domaincalandrainmanlaw.com	—
domainhorsesnarrowboatsrabbits.com	—
domainmoosemunch.boo	—
domainfamousleaked.site	—
domainbetonyventures.com	—
domain68i81.top	—
domainkatskateringllc.com	—
domainwemakebelieve.africa	—
domainhissy.shop	—
domaineatit.click	—
domainawesomeessential.com	—
domainhbcumicbrophone.com	—
domaincalliebarrows.online	—
domainbrippa.store	—
domainchopsbyzarah.com	—

Malware sample

Value	Description	Copy
malware-sampleSV00388388323788.arj\|f515d29ebd892a5f8b19e571a75a6d34	—
malware-sample84470338a1b460b107ab8b8642c04bf12fe930e224b79dcb0dad5ac713fc7b85\|a9e30d6f94ac7d32de3e0d46bea63795	—

Size in-bytes

Value	Description	Copy
size-in-bytes703515	—
size-in-bytes184832	—

Float

Value	Description	Copy
float7.4132217734106	—

Mime type

Value	Description	Copy
mime-typedata	—

Ssdeep

Value	Description	Copy
ssdeep3072:NHJRT+khPd3g8gUp3oudAgrDq4AKV9FUzmlYKGEYuCraA1vwLZ:jxVoOTXq45V92vKjYuhgvo	—

Text

Value	Description	Copy
text{ "keys": [ "7f1cf8a24c450f66b4d58bff70a4f51a739c6db4", "e02377d3a2c0370ad8cd43957487b0bfe3b3fd9e", "090f3f94d775d9a351558dca5130a9af3beb4f7b", "fb434171528eaf7d6fb502701a6fe4d9f0f47ecd", "925f0e6df989b15fcf430ee98f2e0fdc12c909c9", "413797622f6a40d9b170cd9a77480ccb5d6b61cc", "61f0ddfbe29c8e01c2672f5f2be3d46480f89655" ], "type": "formbook", "urls": [ { "url": "http://www.doordelivery.life/km37/" }, { "url": "http://www.busybody.app/km37/" }, { "url": "http://www.damcostafreda12.cat/km37/" }, { "url": "http://www.blueridgebedracks.com/km37/" }, { "url": "http://www.hilltopspice.com/km37/" }, { "url": "http://www.addonysfitwear.com/km37/" }, { "url": "http://www.bestridelabs.com/km37/" }, { "url": "http://www.huashi366.com/km37/" }, { "url": "http://www.1wihug.top/km37/" }, { "url": "http://www.66563.se/km37/" }, { "url": "http://www.96mvipmy.com/km37/" }, { "url": "http://www.lab1207.com/km37/" }, { "url": "http://www.80b80.app/km37/" }, { "url": "http://www.graphicstudio53.com/km37/" }, { "url": "http://www.xn--etherealsoires-mkb.com/km37/" }, { "url": "http://www.bestrosetoy.com/km37/" }, { "url": "http://www.discounthub.xyz/km37/" }, { "url": "http://www.addmusthaveoppprofit.online/km37/" }, { "url": "http://www.abovegame.biz/km37/" }, { "url": "http://www.getv3apparel.com/km37/" }, { "url": "http://www.designroom.app/km37/" }, { "url": "http://www.apatriotspeaks.com/km37/" }, { "url": "http://www.ayq6cn.shop/km37/" }, { "url": "http://www.androidrehber.com/km37/" }, { "url": "http://www.iratewonderhandstore.africa/km37/" }, { "url": "http://www.chateaufinewines.com/km37/" }, { "url": "http://www.fantiplumbing.com/km37/" }, { "url": "http://www.furadventure.com/km37/" }, { "url": "http://www.jogo.africa/km37/" }, { "url": "http://www.dashfashion.store/km37/" }, { "url": "http://www.family-doctor-54927.com/km37/" }, { "url": "http://www.66y143.xyz/km37/" }, { "url": "http://www.bokenco.com/km37/" }, { "url": "http://www.lermansalesmarketing.com/km37/" }, { "url": "http://www.mybunnylawn.com/km37/" }, { "url": "http://www.innerlovefest.com/km37/" }, { "url": "http://www.jiayi-x.com/km37/" }, { "url": "http://www.azart-player.ru/km37/" }, { "url": "http://www.motorsolutionswithmakro.co.uk/km37/" }, { "url": "http://www.demonstrate-suppress.net/km37/" }, { "url": "http://www.jaafil.com/km37/" }, { "url": "http://www.coinnspoo.com/km37/" }, { "url": "http://www.micdavevtuportal.africa/km37/" }, { "url": "http://www.austmactrading.com/km37/" }, { "url": "http://www.bxsh.cloud/km37/" }, { "url": "http://www.ourfturehealth.org.uk/km37/" }, { "url": "http://www.3dgamesource.com/km37/" }, { "url": "http://www.capturecreativeproductions.com/km37/" }, { "url": "http://www.vestby.net/km37/" }, { "url": "http://www.uyruio.xyz/km37/" }, { "url": "http://www.calandrainmanlaw.com/km37/" }, { "url": "http://www.horsesnarrowboatsrabbits.com/km37/" }, { "url": "http://www.moosemunch.boo/km37/" }, { "url": "http://www.famousleaked.site/km37/" }, { "url": "http://www.betonyventures.com/km37/" }, { "url": "http://www.68i81.top/km37/" }, { "url": "http://www.katskateringllc.com/km37/" }, { "url": "http://www.wemakebelieve.africa/km37/" }, { "url": "http://www.hissy.shop/km37/" }, { "url": "http://www.eatit.click/km37/" }, { "url": "http://www.awesomeessential.com/km37/" }, { "url": "http://www.hbcumicbrophone.com/km37/" }, { "url": "http://www.calliebarrows.online/km37/" }, { "url": "http://www.brippa.store/km37/" }, { "url": "http://www.chopsbyzarah.com/km37/" } ], "c2_url": "http://www.doordelivery.life/km37/", "domains": [ { "domain": "uyruio.xyz" } ], "version": "4.1", "signature": "FBNG", "real_c2_idxs": [ 126 ], "decoy_domains": [ { "domain": "busybody.app" }, { "domain": "damcostafreda12.cat" }, { "domain": "blueridgebedracks.com" }, { "domain": "hilltopspice.com" }, { "domain": "addonysfitwear.com" }, { "domain": "bestridelabs.com" }, { "domain": "huashi366.com" }, { "domain": "1wihug.top" }, { "domain": "66563.se" }, { "domain": "96mvipmy.com" }, { "domain": "lab1207.com" }, { "domain": "80b80.app" }, { "domain": "graphicstudio53.com" }, { "domain": "xn--etherealsoires-mkb.com" }, { "domain": "bestrosetoy.com" }, { "domain": "discounthub.xyz" }, { "domain": "addmusthaveoppprofit.online" }, { "domain": "abovegame.biz" }, { "domain": "getv3apparel.com" }, { "domain": "designroom.app" }, { "domain": "apatriotspeaks.com" }, { "domain": "ayq6cn.shop" }, { "domain": "androidrehber.com" }, { "domain": "iratewonderhandstore.africa" }, { "domain": "chateaufinewines.com" }, { "domain": "fantiplumbing.com" }, { "domain": "furadventure.com" }, { "domain": "jogo.africa" }, { "domain": "dashfashion.store" }, { "domain": "family-doctor-54927.com" }, { "domain": "66y143.xyz" }, { "domain": "bokenco.com" }, { "domain": "lermansalesmarketing.com" }, { "domain": "mybunnylawn.com" }, { "domain": "innerlovefest.com" }, { "domain": "jiayi-x.com" }, { "domain": "azart-player.ru" }, { "domain": "motorsolutionswithmakro.co.uk" }, { "domain": "demonstrate-suppress.net" }, { "domain": "jaafil.com" }, { "domain": "coinnspoo.com" }, { "domain": "micdavevtuportal.africa" }, { "domain": "austmactrading.com" }, { "domain": "bxsh.cloud" }, { "domain": "ourfturehealth.org.uk" }, { "domain": "3dgamesource.com" }, { "domain": "capturecreativeproductions.com" }, { "domain": "vestby.net" }, { "domain": "uyruio.xyz" }, { "domain": "calandrainmanlaw.com" }, { "domain": "horsesnarrowboatsrabbits.com" }, { "domain": "moosemunch.boo" }, { "domain": "famousleaked.site" }, { "domain": "betonyventures.com" }, { "domain": "68i81.top" }, { "domain": "katskateringllc.com" }, { "domain": "wemakebelieve.africa" }, { "domain": "hissy.shop" }, { "domain": "eatit.click" }, { "domain": "awesomeessential.com" }, { "domain": "hbcumicbrophone.com" }, { "domain": "calliebarrows.online" }, { "domain": "brippa.store" }, { "domain": "chopsbyzarah.com" } ] }	—
textJSON	—

Threat ID: 682acdbebbaf20d303f0e505

Added to database: 5/19/2025, 6:20:46 AM

Last enriched: 7/9/2025, 12:24:49 AM

Last updated: 8/8/2025, 11:13:17 AM

Related Threats

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

FormBook campaign

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Indicators of Compromise

FormBook campaign

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Technical Details

Indicators of Compromise

File

Hash

Url

Domain

Malware sample

Size in-bytes

Float

Mime type

Ssdeep

Text

Related Threats

ThreatFox IOCs for 2025-08-15

ThreatFox IOCs for 2025-08-14

ThreatFox IOCs for 2025-08-13

ThreatFox IOCs for 2025-08-12

ThreatFox IOCs for 2025-08-11

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility