formbook | 0480f30f1070d12b3231c495ee15699f09049f1c5bc19e889ebd2f3571bd4ab7 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

order spec...on.exe

windows7-x64

order spec...on.exe

windows10-2004-x64

Sharing

General

Target

order specification.exe
Size

684KB
Sample

230522-kpv6eafb54
MD5

e4b4f25fdbd4a82ef0df9076ec6dd250
SHA1

35a27a55da6c5c6c65292289d95469cd4ec0bff9
SHA256

0480f30f1070d12b3231c495ee15699f09049f1c5bc19e889ebd2f3571bd4ab7
SHA512

848f2178541a9302e93c3558f0320bc5d922128407b03dbfaa20702584fc67e1722f4ac46974ad8a7b918af2d78fd86903728d518ec2f5f4d66bb74474347902
SSDEEP

12288:ptOFx0YPX/NqPsAogO01MnY7Zzrgb7Siqumatg8BaNd2h/:ptOwHPsAA0eGgb+iquBaNG/

Score

10^/10

formbook o17i rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

order specification.exe

Resource

win7-20230220-en

formbook o17i rat spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

order specification.exe

Resource

win10v2004-20230220-en

formbook o17i rat spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o17i

Decoy

chocolatebarreview.com

fetch-a-trabajos-canada.info

expresspestcontrol.net

tractionx.co.uk

vitalassetsecurity.com

lahtawine.ru

firedamagereports.com

bentzenphotography.com

digitalworkforces.com

divnoe.online

efefbig.buzz

melhardy.co.uk

igorsolutions.com

developmentszhuiservice.com

fookspace.com

kredaroo.com

4zpm.xyz

kycecat.cfd

singingriverhomeimprovement.com

bils.store

abvqwrtqwt.com

agenciaibdig.online

azsxslife.com

deadstar.cloud

dralexisdvm.com

investea.uk

lovemichigancity.com

imcas.academy

cicero.store

handgab.com

femalefinancialcollective.com

fullblu.com

betonbajas.info

olawaleojewumi.africa

chrissyadamsrealestate.com

kx1898.com

efefcoal.buzz

cartec-2023.com

laptops-67575.com

gadexperts.com

clients-web.com

wwwinterbahis1075.com

locvu.xyz

ctjh0p9.vip

loyaltysouls.com

gction.online

funerverso.net

chargingpiles.shop

gyekkh.cfd

38jsz.com

drdoctormedia.com

732694.com

usapaperballot.com

apexbiomedicaltech.com

knowchaos.com

shaedonaldson.net

76999.biz

doitalllandscapingllc.com

compts.top

fuelforhealth.se

gofundhouse.com

vapecanal.co.uk

furniturecomponent.asia

searo.co.uk

internet-providers-45067.com

Targets

- Target
  
  order specification.exe
- Size
  
  684KB
- MD5
  
  e4b4f25fdbd4a82ef0df9076ec6dd250
- SHA1
  
  35a27a55da6c5c6c65292289d95469cd4ec0bff9
- SHA256
  
  0480f30f1070d12b3231c495ee15699f09049f1c5bc19e889ebd2f3571bd4ab7
- SHA512
  
  848f2178541a9302e93c3558f0320bc5d922128407b03dbfaa20702584fc67e1722f4ac46974ad8a7b918af2d78fd86903728d518ec2f5f4d66bb74474347902
- SSDEEP
  
  12288:ptOFx0YPX/NqPsAogO01MnY7Zzrgb7Siqumatg8BaNd2h/:ptOwHPsAA0eGgb+iquBaNG/
Score

10^/10

formbook o17i rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooko17iratspywarestealertrojan

behavioral2

formbooko17iratspywarestealertrojan

© 2018-2025

Terms | Privacy