formbook | a5976236ba0b3e31a6dd09af3abe7d0121a4053bb22669869a874d1ba97bd495 | Triage

Submit
Reports

Overview

overview

Static

static

1

rquotationorda.exe

windows7-x64

rquotationorda.exe

windows10-2004-x64

Sharing

General

Target

rquotationorda.exe
Size

700KB
Sample

230324-qext5sge51
MD5

6c38701adffd93212d6029444b59ccd6
SHA1

6cd4d0ee67d3c2dc4d3c27952fe03d21af301f5f
SHA256

a5976236ba0b3e31a6dd09af3abe7d0121a4053bb22669869a874d1ba97bd495
SHA512

f8a2363f8438bdaf27eb5cf8d69f43b1823886a0600f06f57778e86b1080d4821206d869260d2ebfbfb2fd38c9c61988fe773ecd5e5f05e6ee827dc5dbe4ee63
SSDEEP

12288:VOu8a0GY4jbPeeoVo8AL91kW9CUUCoStDH21X:JjbPJoV2L91CewB

Score

10^/10

formbook n13e rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

rquotationorda.exe

Resource

win7-20230220-en

formbook n13e rat spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

rquotationorda.exe

Resource

win10v2004-20230220-en

formbook n13e rat spyware stealer trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n13e

Decoy

cowiemarketing.com

uniqueliquidz.co.uk

755259.com

7bw95.com

luxbarstools.co.uk

baccaratda.com

berkayakpinar.xyz

gistus.africa

hjd387.com

leave-fly.com

golfclubdaddy.com

engineeringea.buzz

countryrevisited.com

decoracioneskalite.com

imaginationlirbary.com

moneytransfer.africa

brainwaveproject.com

3039sjbqf2022.com

184hotels.com

aromamiaro.com

bigching.com

armkette.com

energytechnicalsystems.com

bodw2022.com

keptpasha.online

fossillandstone.com

guioueui.link

cleanupbycmw.com

inyeculinary.com

papercrochet.net

jaderoadfarm.com

bril-leadinginvention.com

dtgwarehouse.com

successrn.net

660web.com

lovedhug.com

juicecomedy.co.uk

enigmaxk.com

romunro.net

cassiekayreads.com

ibuycomputers.com

blossomblushbelltents.co.uk

hjce06.com

applyingdreams.com

h2ghb3.site

glown.africa

533671.com

charlottechoicelimos.com

bossinfra.com

anrovlp.xyz

1wqzsb.top

ertfsdf.xyz

exotico-store.com

betterportions.com

corfix.app

888sq.club

takeselfies.net

getyourtitleback.com

clickadega.com

midwestflowsproductions.net

duraveritaswines.com

dublintwist.com

apollobenfitservices.com

kp-aodeli.com

davidmchughroofing.co.uk

Targets

- Target
  
  rquotationorda.exe
- Size
  
  700KB
- MD5
  
  6c38701adffd93212d6029444b59ccd6
- SHA1
  
  6cd4d0ee67d3c2dc4d3c27952fe03d21af301f5f
- SHA256
  
  a5976236ba0b3e31a6dd09af3abe7d0121a4053bb22669869a874d1ba97bd495
- SHA512
  
  f8a2363f8438bdaf27eb5cf8d69f43b1823886a0600f06f57778e86b1080d4821206d869260d2ebfbfb2fd38c9c61988fe773ecd5e5f05e6ee827dc5dbe4ee63
- SSDEEP
  
  12288:VOu8a0GY4jbPeeoVo8AL91kW9CUUCoStDH21X:JjbPJoV2L91CewB
Score

10^/10

formbook n13e rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookn13eratspywarestealertrojan

behavioral2

formbookn13eratspywarestealertrojan

© 2018-2024

Terms | Privacy