formbook | 6f75aa5bfb77700d4a5d180362f67bd23353bb63ae7561c5c19bbca805c6513e | Triage

Submit
Reports

Overview

overview

Static

static

AHMR 4036.exe

windows7-x64

AHMR 4036.exe

windows10-2004-x64

Sharing

General

Target

AHMR 4036.7z
Size

864KB
Sample

220824-mg3xdscahl
MD5

383436dda18908da4a88625c76ff8136
SHA1

321565ed79e758e84cbf796eae5de724324bdf74
SHA256

6f75aa5bfb77700d4a5d180362f67bd23353bb63ae7561c5c19bbca805c6513e
SHA512

94a5fbffd436eaa841d651f704e63786cb0ad3bd21abd4fc8675a78f273bab8ee718cd631805e38107537a01b1d1f7dbb7f20fce54657dcfe0489f2f79b1157d
SSDEEP

24576:EXbwnZzJA8k4MmkZqMhSw98swd80Ce3aBgAHtJaieWOW0Y5:ELwZzFkhNZVNLwd80oBg2twkOW0o

Score

10^/10

formbook ba17 rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

AHMR 4036.exe

Resource

win7-20220812-en

formbook ba17 rat spyware stealer trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

AHMR 4036.exe

Resource

win10v2004-20220812-en

formbook ba17 rat spyware stealer trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ba17

Decoy

bearwant.com

sdsguanfang.com

steamcommunityvia.top

sugarplumtreasures.com

koronislakefishing.com

jmae.xyz

xhxnqemkiqe.xyz

playzcrew.com

zatwsbq.com

lankofix.com

sh-zhepeng.com

mibodamisxv.online

butterflyjewelry.store

finestrecitalto-spottoday.info

globomateria.com

royalmdarts.com

d4af10836709.com

shepwill.com

67aldrich.info

trustedmakers.club

burdiezholdings.com

facialcoach.com

hunterous.com

carei.xyz

positivityintheworkplace.com

top1productjapan.online

camperrentnovara.com

nostalgiaz.xyz

prepperandsalt.com

platinum-swallow-nest.com

jmdadoag.com

cornerstonesolarconsulting.com

carmelhasit.com

hospitalaurelia.com

epolystars.com

best5psychicreadingsites.com

cbradleyowens.com

cmshelps.com

leclefsdor.com

male-muscle-slave.cloud

eselinchen.com

statesunitedaction.net

goweet.com

hififurniturehouse.info

alphacapitaltrust.online

hotsellmed.com

sunxueling.com

firstclass-poolservice.com

tuveranopelayo.com

wayangslot.net

joseauto.net

consinko.com

pacificoffshorecharters.com

steemboard.xyz

poollife.info

miraihenokoibumi.net

mfh-sa.com

seontra.xyz

openfaders.com

guardianz.online

purse.gold

affaire-chaba.com

rosency.xyz

somethingform.site

digitalpursuitsonline.com

Targets

- Target
  
  AHMR 4036.exe
- Size
  
  1.2MB
- MD5
  
  086de2ec9b8b5c723d127cbfe35b6d75
- SHA1
  
  ed87e00093c8051207c91eaeea7b403a120c1202
- SHA256
  
  6452e7934b058662751322258e57f91a8790ab089a93b17062646080e31ea24a
- SHA512
  
  2cc91c9d4548d5ba0a03a958caf266563001fda2a5752fa7c65ad7d650ff0fcd1723a5197482466a472f487f58422f620c99d1877568c0548c83f18f05fa0fa0
- SSDEEP
  
  24576:S1tTG+YvcFi95eunG2SpnfZ/ykidrl0S3kREYV49Nt:AtTmcFi9ijpnfhyFdTPq49r
Score

10^/10

formbook ba17 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookba17ratspywarestealertrojan

behavioral2

formbookba17ratspywarestealertrojan

© 2018-2024

Terms | Privacy