formbook | 6fef888e6f662744463a37949ee1df183c279e42baf355319484293748ded41b | Triage

Submit
Reports

Overview

overview

Static

static

1

Comprobant...20.exe

windows7-x64

Comprobant...20.exe

windows10-2004-x64

Sharing

General

Target

Comprobante de pago INT_EMP221226 20230320_$2763320.exe.malz
Size

1.1MB
Sample

230321-wr9x5acd48
MD5

12411b3710982c190df4993dfe2e3761
SHA1

c66d8a7b15ed34380fde79e4cd2892f934e4b8bc
SHA256

6fef888e6f662744463a37949ee1df183c279e42baf355319484293748ded41b
SHA512

386a3e3036cd2317aaf1b984c13a49d1d678c82c46de9f2001aa4243892ebc330b6005a2490a3683efbf3d686bfee350c4afa1ea2851b86f3b52079bebc57ab2
SSDEEP

24576:4qIRuN3c+/weL3uzxKPH1BYBWLv6QT6JdrD:4HRuNMqwYuzxKPfYIj6QGJdr

Score

10^/10

formbook jr22 rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Comprobante de pago INT_EMP221226 20230320_$2763320.exe

Resource

win7-20230220-en

formbook jr22 rat spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Comprobante de pago INT_EMP221226 20230320_$2763320.exe

Resource

win10v2004-20230220-en

formbook jr22 rat spyware stealer trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr22

Decoy

941zhe.com

lunarportal.space

xn--osmaniyeiek-t9ab.online

trejoscar.com

nrnursery.com

quizcannot.cfd

seedstockersthailand.com

watsonwindow.com

wjfholdings.com

weziclondon.com

naruot.xyz

yeji.plus

classicmenstore.com

oharatravel.com

therapyplankits.com

keviegreshonpt.com

qdlyner.com

seithupaarungal.com

casinorates.online

8ug4as.icu

foamyfallscarwash.com

padelfaculty.com

theenergysavingcentre.com

dorpp.com

scoresendirect.online

yuqintw.com

erenortopedi.com

skymagickey.com

infinitepuremind.com

watchtamilmovie.com

southplainsinsurance.net

intentionaldating.app

certaproarkansas.com

blidai.com

thehoneybeeworks.com

followplace.com

sipsterbyananeke.com

37300.uk

bluebirdbuyers.com

composewithme.com

moneymundo.com

daftarakun.xyz

samsonm.com

nurse-jobs-in-us-35896.com

cancerbloodspecialistsga.net

feelfeminineagain.com

residentialcaretraining.com

allprocleanouts.com

englishsongs.online

bookkeepingdeerfield.com

bendcollegeadvisor.com

boaiqixian.com

vixensgolfcarts.com

igarrido.net

rsconstructiontrading.com

lakewayturf.com

carelesstees.com

silviaheni.xyz

iaqieqq.com

campingspiel.com

diacute.com

thaigeneratortg.com

autoreenter.com

meclishaber.xyz

airbnbtransfers.com

Targets

- Target
  
  Comprobante de pago INT_EMP221226 20230320_$2763320.exe.malz
- Size
  
  1.1MB
- MD5
  
  12411b3710982c190df4993dfe2e3761
- SHA1
  
  c66d8a7b15ed34380fde79e4cd2892f934e4b8bc
- SHA256
  
  6fef888e6f662744463a37949ee1df183c279e42baf355319484293748ded41b
- SHA512
  
  386a3e3036cd2317aaf1b984c13a49d1d678c82c46de9f2001aa4243892ebc330b6005a2490a3683efbf3d686bfee350c4afa1ea2851b86f3b52079bebc57ab2
- SSDEEP
  
  24576:4qIRuN3c+/weL3uzxKPH1BYBWLv6QT6JdrD:4HRuNMqwYuzxKPfYIj6QGJdr
Score

10^/10

formbook jr22 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookjr22ratspywarestealertrojan

behavioral2

formbookjr22ratspywarestealertrojan

© 2018-2024

Terms | Privacy