formbook | 090b0e38780c07da32a7d9119c754e34b398845b94fbe8ea544fc9ab8d81ac80 | Triage

Submit
Reports

Overview

overview

Static

static

RFQ _#CIF ...ad.exe

windows7-x64

RFQ _#CIF ...ad.exe

windows10-2004-x64

Sharing

General

Target

RFQ _#CIF FOR Hyderabad.exe
Size

893KB
Sample

221207-rj1bhaac4z
MD5

38e553f81a142579ea9a4e61a5c02c14
SHA1

44cb7f3254aa1991bd49039f9cfaec4ac3cf87b2
SHA256

090b0e38780c07da32a7d9119c754e34b398845b94fbe8ea544fc9ab8d81ac80
SHA512

3bc489194086f1abc40e077657d50835d6a71fe94314592aa47c806340ae3d5dd4f53bb8bc969c7d22cd2403fd395a8283a4573abb1475709dd7543c72b65203
SSDEEP

12288:roQgKZ/nXt7virmWhlGLaQYIV7m2HUOZE2SqvXD0LLc7VrfOJvFTkfDtd9201ZRk:DBHEdqf0KOJvFTkf5L2GRahex3zLu

Score

10^/10

formbook d94i phishing rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

RFQ _#CIF FOR Hyderabad.exe

Resource

win7-20221111-en

formbook d94i rat spyware stealer trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

RFQ _#CIF FOR Hyderabad.exe

Resource

win10v2004-20220812-en

formbook d94i phishing rat spyware stealer trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d94i

Decoy

drain-pipe-cleaning-74655.com

culligandiiy.com

lknja.shop

salon-atmosfera.ru

steamgeneratorboilers.com

drain-pipe-cleaning-30896.com

dinoton.fun

feed-v.com

aym-brum.co.uk

bxztil.xyz

infinite-transformation.com

caticmicro.com

abrahamgranda.com

cleaninggem.com

hi5279.com

jainsdigitalservices.com

cglsuperset.com

kephatonrx.com

babyhandmold.com

braceelet.com

binotel.online

hengyangwangc.com

177787.com

dapperexperiences.com

perfectlyvintage.co.uk

ivoneartes.com

freightbyu.com

hotelvillaverdehn.com

igor-paixao.com

packmask.co.uk

lotuslandticketspice.com

mgkmanufacturing.com

casamollyshop.com

euterpe-paris-violin.com

imfeelingluckyongoogle.com

1wwxbc.top

9pdygwqg.com

akinsoftayvalik.xyz

kicoat.com

badgescottage.co.uk

bigbagsale.shop

scintillatecreative.com

thisguycancook.africa

truevision.africa

aapainternational.com

andrea-fuchs.com

thetrendshop.co.uk

pinkshea.co.uk

historiafilia.com

imaginationlbrary.com

electionfactsnc.com

cyberparkbhutani.com

freshcouponz.com

altyazili90.xyz

lidraulico.info

cardedeuweb.com

chacossandalsuk.com

10bconsulting.com

koziime.com

peek-a.boo

iuwamz.top

stonebridgetops.co.uk

heck-akunwso.xyz

helveticabold.co.uk

schoolcut.org.uk

Targets

- Target
  
  RFQ _#CIF FOR Hyderabad.exe
- Size
  
  893KB
- MD5
  
  38e553f81a142579ea9a4e61a5c02c14
- SHA1
  
  44cb7f3254aa1991bd49039f9cfaec4ac3cf87b2
- SHA256
  
  090b0e38780c07da32a7d9119c754e34b398845b94fbe8ea544fc9ab8d81ac80
- SHA512
  
  3bc489194086f1abc40e077657d50835d6a71fe94314592aa47c806340ae3d5dd4f53bb8bc969c7d22cd2403fd395a8283a4573abb1475709dd7543c72b65203
- SSDEEP
  
  12288:roQgKZ/nXt7virmWhlGLaQYIV7m2HUOZE2SqvXD0LLc7VrfOJvFTkfDtd9201ZRk:DBHEdqf0KOJvFTkf5L2GRahex3zLu
Score

10^/10

formbook d94i rat spyware stealer trojan phishing
- Detected phishing page
  phishing
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookd94iratspywarestealertrojan

behavioral2

formbookd94iphishingratspywarestealertrojan

© 2018-2024

Terms | Privacy