formbook | b81deeedf20176eab269dc52fb165d8d8c7f74fe3bddf09089702b37dd012ce6 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

Quotation.exe

windows7-x64

Quotation.exe

windows10-2004-x64

Sharing

General

Target

Quotation.exe
Size

704KB
Sample

230503-mcg45agb3w
MD5

64d571f6ab61788ccd1d0e7e83f85e1e
SHA1

65c6d2dc29a74b4ae79594c2a0517c41a0798f9c
SHA256

b81deeedf20176eab269dc52fb165d8d8c7f74fe3bddf09089702b37dd012ce6
SHA512

29f813bf6539d76e68955f93ab96b2a8b3174118f05be8a9ec4432e9761ac7694863146e29247cfedd243414fdebd07ebbdb3537e5a729f985bc6ba3686e89a1
SSDEEP

12288:MPFQH49xB8v6CJvt7pxtQdqqEoL9zH95wo3BE:CFQY9EtxtQdBEoL9zb3O

Score

10^/10

formbook ce18 rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Quotation.exe

Resource

win7-20230220-en

formbook ce18 rat spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Quotation.exe

Resource

win10v2004-20230220-en

formbook ce18 rat spyware stealer trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ce18

Decoy

kenfinnegan.com

exopestireland.com

allthingzbeautiellc.com

attractiveidiot.com

calmsealight.com

ectobyte.com

8rr.xyz

hcmajq.info

alisongraceventures.com

jamtanganbagus.online

forexpropfirmmastery.com

coupimmobilier.com

amarisetechnologies.com

countrykidsclothing.com

eyecatcher.tech

merxip.online

fiteallc.com

themensroombarber.co.uk

seroofingtelford.co.uk

birdie786.com

tinasc.com

abadicash11.vip

beyondschoolwork.com

coachcreators.net

theoakwheel.co.uk

electrolyteelectric.com

bastetribal.com

bleatcement.online

sunsetnyc.com

bjzlccqz.com

loyaldiscount.com

gamerunr.com

keepaquarium.com

ecochec.ru

annakaiello.com

just-leanin.com

kitchen-furniture-66738.com

alibama.top

current-vacanies.com

hentaireaf.com

sim-virtual.net

wilkesalms.org.uk

bishopdelicious.com

dunamu-cabin.com

kessdaniels.com

x7c7h.com

permianmitsubishi.net

logmauk.co.uk

libertyconsul.com

dghg-106.com

bcpatil.com

diamondsilkregimen.com

nankanasaheb.com

incomeclub.africa

login-xfinity.net

fayetaylor.realtor

ljcfarms.africa

g-starnetwork.com

fullmography.com

cleanifylaundry.com

async.live

bigcommerce.rsvp

dominioncard.com

bankloan-dd.ru

bookcom34567875373733744444.top

Targets

- Target
  
  Quotation.exe
- Size
  
  704KB
- MD5
  
  64d571f6ab61788ccd1d0e7e83f85e1e
- SHA1
  
  65c6d2dc29a74b4ae79594c2a0517c41a0798f9c
- SHA256
  
  b81deeedf20176eab269dc52fb165d8d8c7f74fe3bddf09089702b37dd012ce6
- SHA512
  
  29f813bf6539d76e68955f93ab96b2a8b3174118f05be8a9ec4432e9761ac7694863146e29247cfedd243414fdebd07ebbdb3537e5a729f985bc6ba3686e89a1
- SSDEEP
  
  12288:MPFQH49xB8v6CJvt7pxtQdqqEoL9zH95wo3BE:CFQY9EtxtQdBEoL9zb3O
Score

10^/10

formbook ce18 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookce18ratspywarestealertrojan

behavioral2

formbookce18ratspywarestealertrojan

© 2018-2025

Terms | Privacy