formbook | 319031aef57695e9e163907f23b335c31851a3511ce5de8109913a877b75854b | Triage

Submit
Reports

Overview

overview

Static

static

3

Document R...21.exe

windows7-x64

Document R...21.exe

windows10-2004-x64

Sharing

General

Target

21054066a9306b448e32a28c43a5c2dd_JaffaCakes118
Size

419KB
Sample

240329-nqs9zsgf49
MD5

21054066a9306b448e32a28c43a5c2dd
SHA1

2741e2a11ba8e5196cd406a19ddb90ad1b39782a
SHA256

319031aef57695e9e163907f23b335c31851a3511ce5de8109913a877b75854b
SHA512

4d6eb6361f5eefd3d0b294443d4734bb9206483e017384065760b275d1d63323c1721cbce5e3c9e5b60c7929a454871e877f997c006e6ac7fd4d0a6b038adb03
SSDEEP

12288:KI63shJunufpL/ymtL3Wpd36BseLdSE2DAoQ+g+pX:ys/uut/ymtL3WXKZdShDAoKAX

Score

10^/10

formbook g8ni rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Document RFQ#8086A_461A_0000086_300_3550_2021.exe

Resource

win7-20240221-en

formbook g8ni rat spyware stealer trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

Document RFQ#8086A_461A_0000086_300_3550_2021.exe

Resource

win10v2004-20240226-en

formbook g8ni rat spyware stealer trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g8ni

Decoy

nickmowat.com

garethjame.biz

colibrilift.com

vulnerabilitylabs.one

neuro-ai-web-ru.website

16mcnaestreetmooneeponds.com

bestofstmaarten.net

meditelier.com

ragnarduke.com

escueladecampo.com

vongtayvn.com

inmemoriamaan.com

yourpeoplemanager.com

r6-gytr.com

agreeablebeauty.com

snpconfirms.com

tribalurq.quest

purafuse.com

cisco-training-course.com

wery.top

haiyaa.tech

schtefo.net

kenytc.com

energypopcorn.com

0urls.top

artiatec.com

enqum.com

nextcloud.solutions

stateaffairsng.com

727bpay.com

matchmakerfiji.com

qingdouge.com

nusrattelbdoffical.xyz

seo-clicks7.com

aspirateurs.net

autosandmorestore.com

moje-akvarium.net

uehddw.com

geschmacksakademie.com

gendarmerie.email

buynftinc.com

mission-nao.com

webmakers.xyz

federationwholesale.com

tjbieying.com

finestpoints.com

premiersloyko.xyz

carlislepartssurvey.com

hackernfts.com

abitvip.com

iphone13mini.supplies

thenorthfacedeal.online

swlhvipbj.com

elguije.com

auto2pl.com

route112mitsubishi.com

zilliq.com

pumateam04.com

xtzztf.com

sacmaudantoc.xyz

kalafwalker.com

jumeaux-numeriques.com

purposefulwork.com

jacquelineblog.info

er5544.com

Targets

- Target
  
  Document RFQ#8086A_461A_0000086_300_3550_2021.exe
- Size
  
  510KB
- MD5
  
  a445dd187c6dc7254da6d2f0d893f2fb
- SHA1
  
  c0548d4ed4a9c2b68fbcf592e9a892fa587d5b0e
- SHA256
  
  2a2187ae775f286c2400957b71aac1c550779fc6652a710d126546d4d4879f0f
- SHA512
  
  ec8fb387474fe1a737ea46d67e5b2e363ecb6c35634e1af63e465fb487c8ae2b7684d128d8ea982d6234110dee83a4601b6fba64f05765a41927f580520c527e
- SSDEEP
  
  12288:ogcvFMGTRKGUjCh6MCpMBWlzXu9TysHr6NOjqMIw+Nyqq9gdWf9od:qvAjCh6MCpnl+4xOOj3yqAgdio
Score

10^/10

formbook g8ni rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookg8niratspywarestealertrojan

behavioral2

formbookg8niratspywarestealertrojan

© 2018-2024

Terms | Privacy