formbook | ac736471989d829de46fd469cc314a609153e7fdbe837ddbe6e19ac4cc407c8f | Triage

Submit
Reports

Overview

overview

Static

static

1

RFQ270323.exe

windows7-x64

RFQ270323.exe

windows10-2004-x64

Sharing

General

Target

RFQ270323.7z
Size

1.0MB
Sample

230328-d33dbagg58
MD5

fc43d045f5a3937a4ad8d2cb6678af60
SHA1

b4ed9b96896943bb197109fb944cfd0c8e72a298
SHA256

ac736471989d829de46fd469cc314a609153e7fdbe837ddbe6e19ac4cc407c8f
SHA512

1646aec5ac3aadf1af0669caf8cb00933c00176002050da75fd14621a1e0342249b67adf7d4954ba4f7701bff1ec90603d4b198186f51231f38c205eb36dbcb8
SSDEEP

24576:s78V4AcNOZX3mzudmt7owFyNDsw1YyAUPv0IcPR0c:sdUpmadmt7oRN7ZPvd4

Score

10^/10

formbook mg24 persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

RFQ270323.exe

Resource

win7-20230220-en

formbook mg24 persistence rat spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

RFQ270323.exe

Resource

win10v2004-20230220-en

formbook mg24 persistence rat spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mg24

Decoy

jhae3jp.store

generalfirstaidcourse.com

breville-accounting.com

homeinthehamptonsny.com

amphibiamerch.store

lagosstateteacherawards.africa

955.global

longmaosh.com

crblwks.com

horliga.co.uk

classicdancehitzofficial.com

crytodefi.online

huachunjianshe-sh.com

hotel-la-cascada.xyz

avastate.com

cheapweedseeds.com

abgroupthailand.com

context-switching.com

drsolarshine.site

nxeliz.xyz

cozyfair.com

charlieandeleanor.com

loveepisodes.africa

caijunyong.com

43185.vip

mrcconsultants.co.uk

sgpcoaching.co.uk

hostwz.com

winnipeglandscaping.net

katkisiz.info

helmstore.africa

metrobots.africa

edkofilms.info

bvmc-valve.com

cutemattchy.com

easylivingstore.africa

weedent.net

huliang.love

cvhigherplatforms.uk

asfimmigrationservices.uk

sentjob.com

accessradonc.com

d4001.email

breathingsunderrated.com

baratieistore.online

goboony-apis.com

6n887.com

jessicaalejandre.com

friendlydalmatians.com

li-ionclean.com

greenacresscapes.com

helmutneumann.com

coach-kiron.com

hbgjjm.com

minsyoku.net

tuminbella.africa

hapticcrowd.com

idahoo.shop

viksintegratedservices.africa

foreverhomearchitect.com

canad.info

joshuasuccess.africa

truegritconsultant.com

for-elderly.com

belevderetrading.com

Targets

- Target
  
  RFQ270323.exe
- Size
  
  1.2MB
- MD5
  
  28bad71f1d8eb708ac2e7df6ca5e6154
- SHA1
  
  0c49ef832fbc2144edc391346fd37ef28c026fac
- SHA256
  
  d9cb6944a11885d5920382271111ef7a8f45b9daf7bf0c60db455d298d24bbeb
- SHA512
  
  828ef4077bc52d4a15cd2b5db8768b34d1597e861e148298d988800d72ba7342e3f5142f0a7c1eb82ffd1230fc048acffd3f15be408ce83f9ad67628b2789dd6
- SSDEEP
  
  24576:ETbBv5rUVGgovq8fE0WyXjjUBD8SqAOgRF6stH:2B0ovrzYDVqK6stH
Score

10^/10

formbook mg24 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookmg24persistenceratspywarestealertrojan

behavioral2

formbookmg24persistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy