formbook | cc306bb2d4ff7a9b6a4526abfe0ee05610bc1f34f8c4b96f465c44412558516f | Triage

Submit
Reports

Overview

overview

Static

static

SWIFT SKM_...js.exe

windows7-x64

SWIFT SKM_...js.exe

windows10-2004-x64

Sharing

General

Target

SWIFT SKM_4_5767189090436911808.js.exe
Size

946KB
Sample

221208-m7ex9ahg56
MD5

d40709798e6695b0f5cbe45e73dfd677
SHA1

cc27ce3d9199b1ab3dbfa6fea943ea5fc1f4d7d6
SHA256

cc306bb2d4ff7a9b6a4526abfe0ee05610bc1f34f8c4b96f465c44412558516f
SHA512

92ebaee7aa16797cf4fdbed3a25d736610ff01d5a6208aa4463973f7596dc7129363b36b67f82b81f86a0212e248984c58200878030440e576fc0b5724efa625
SSDEEP

12288:D2OfFiAGPtdUAXpY+ZmBjHUk+qNng/lxupZMbDF1Uh76xksye1wHe7YnK3o37YU7:yEiPl95hZmBHklxVF1UrsyuwGj0

Score

10^/10

formbook a19i rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

SWIFT SKM_4_5767189090436911808.js.exe

Resource

win7-20220901-en

formbook a19i rat spyware stealer trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

SWIFT SKM_4_5767189090436911808.js.exe

Resource

win10v2004-20221111-en

formbook a19i rat spyware stealer trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a19i

Decoy

onelovefungi.com

paperlesspoop.com

perfectsalaries.com

tutor-dashboard.com

canucksshine.com

brl-mo6.online

fathistudio.com

iptv-3.com

hbombmedia.com

ifizidi.com

dahuaguinee.com

jyrbz.com

aawwuk.com

aina.health

socialbod.com

27mk.top

gnomeswhognow.net

unrivaledpurpose.com

randy.cloud

referralcodesmarket.com

takuorigins.com

lewsholding.com

dxlock.com

bestehemosideri.site

torrentwarrior.net

purringlover.com

apiweb.xyz

buradayaziyor.com

veronicamariefield.com

fitnessmoneyblueprint.com

bfsdisplays.com

worldfoodbar.com

cq9games27.com

siespeaks.com

copythefunnel.com

enweb2fa.info

gazachildrensfund.online

maxxess-systems9.cloud

hampyko.online

healingspree.com

rivalology.one

jekev.xyz

theunstoppabletravelers.com

vrf47i.shop

weajo.online

xddxiaoduji.com

facesseekers.com

liankecloud.top

garagesavior.com

dcmobilemassagegal.com

tdcrpd.com

supremejsoftc.cloud

xn--heizanhnger-r8a.com

xitsj.com

amtqu.com

coraphysicatherapy.com

aytjter3.xyz

bssindo.com

discgolfputting.com

trnchmen.com

ethanwatters.com

mykiitsch.com

ricky.world

rochtranel.one

le-shoothe.com

Targets

- Target
  
  SWIFT SKM_4_5767189090436911808.js.exe
- Size
  
  946KB
- MD5
  
  d40709798e6695b0f5cbe45e73dfd677
- SHA1
  
  cc27ce3d9199b1ab3dbfa6fea943ea5fc1f4d7d6
- SHA256
  
  cc306bb2d4ff7a9b6a4526abfe0ee05610bc1f34f8c4b96f465c44412558516f
- SHA512
  
  92ebaee7aa16797cf4fdbed3a25d736610ff01d5a6208aa4463973f7596dc7129363b36b67f82b81f86a0212e248984c58200878030440e576fc0b5724efa625
- SSDEEP
  
  12288:D2OfFiAGPtdUAXpY+ZmBjHUk+qNng/lxupZMbDF1Uh76xksye1wHe7YnK3o37YU7:yEiPl95hZmBHklxVF1UrsyuwGj0
Score

10^/10

formbook a19i rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooka19iratspywarestealertrojan

behavioral2

formbooka19iratspywarestealertrojan

© 2018-2024

Terms | Privacy