formbook | e827c29f504045d8e6d8a2eb622a571f83e1bf9afaa8f1b839af76f457b45135 | Triage

Sharing

General

Target

Invoice 3284 sales invoice.exe
Size

416KB
Sample

211018-crvcwsdac4
MD5

984eae99ede6562cf394483a1600c4a3
SHA1

75d1a2b5c8cd64dbe8b6470e47c8016db541b794
SHA256

e827c29f504045d8e6d8a2eb622a571f83e1bf9afaa8f1b839af76f457b45135
SHA512

2916b72e8bc5c4f8f610f8e24437c2c28847d5b0de471cb100a923b9ab726e8262b4354311dee5ae3c7f2ec02ef6f8b8358e743f29b4457947079c67a022aaf7

Score

10^/10

formbook r4gk rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

r4gk

C2

http://www.aprilsaak.quest/r4gk/

Decoy

quantalix.com

animalblog-eggs.com

039skz.xyz

guttas.net

lasantadayparty.com

protegerfinanceservices.com

vixtest.xyz

digitaleconomy.global

0xpax.xyz

mobilehome1688.com

themotionpartners.com

valueney.com

hattuafhv.quest

js0061gj.net

360metaverse.biz

seculardata.com

346727688.xyz

smartmapom.com

moksel.com

exoduswatchco.com

Targets

- Target
  
  Invoice 3284 sales invoice.exe
- Size
  
  416KB
- MD5
  
  984eae99ede6562cf394483a1600c4a3
- SHA1
  
  75d1a2b5c8cd64dbe8b6470e47c8016db541b794
- SHA256
  
  e827c29f504045d8e6d8a2eb622a571f83e1bf9afaa8f1b839af76f457b45135
- SHA512
  
  2916b72e8bc5c4f8f610f8e24437c2c28847d5b0de471cb100a923b9ab726e8262b4354311dee5ae3c7f2ec02ef6f8b8358e743f29b4457947079c67a022aaf7
Score

10^/10

formbook r4gk rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook Payload
  rat
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookr4gkratspywarestealertrojan

behavioral2

formbookr4gkratspywarestealertrojan