formbook | 8fddf1605031da46c75a4bcf9a38ac8868fb6ef9519828905f6e8435fa3875a4 | Triage

Submit
Reports

Overview

overview

Static

static

ae5f04e193...od.exe

windows7-x64

ae5f04e193...od.exe

windows10-2004-x64

Sharing

General

Target

ae5f04e1939d8ce30342a717d15c99489f9afa411aacfdbc85a4f6af79013694-mod.exe
Size

848KB
Sample

221207-c3snfaba6y
MD5

f5754653e12482d470ba49e6e4a56456
SHA1

98d4aae9a159eea640d43ffe6900b25e44d4b5bb
SHA256

8fddf1605031da46c75a4bcf9a38ac8868fb6ef9519828905f6e8435fa3875a4
SHA512

2cfd20eeb8daddada5c2cdcc0f28e3baa069bde93ba2ee4dbe776be683019b0d12d29ac40356caa14949290cc0188db67412cbdcd60d89829d8e15a3c792498e
SSDEEP

12288:rewy0O8ZrzM87QTdAz+VEYemZJbxpDF8VGmGqPBaynlmhGHqsSqyAeugqAPW6ETF:rewDljBa5hCuNZ/A6CgUPv

Score

10^/10

formbook d0a7 persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

ae5f04e1939d8ce30342a717d15c99489f9afa411aacfdbc85a4f6af79013694-mod.exe

Resource

win7-20220812-en

formbook d0a7 persistence rat spyware stealer trojan

windows7-x64

15 signatures

1800 seconds

Behavioral task

behavioral2

Sample

ae5f04e1939d8ce30342a717d15c99489f9afa411aacfdbc85a4f6af79013694-mod.exe

Resource

win10v2004-20220812-en

formbook d0a7 persistence rat spyware stealer trojan

windows10-2004-x64

18 signatures

1800 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d0a7

Decoy

ngpjqd.top

provider1.net

themetaverseloyalties.com

tylpp.com

pmjewels.com

87napxxgz8x86a.com

djolobal.com

fmbmaiamelo.com

naijabam.online

networkingbits.com

beesweet.live

sexarab.homes

promptcompete.com

midsouthradio.com

23mk.top

bnhkit.xyz

2ozp56.bond

vehiclesgroups.com

healthycommunitynow.com

cwzmesr.com

qpeqlqb.com

parallelsoundsstudio.com

legacy-lc.com

isedeonline.com

baudtown.com

characting.space

noironclothes.com

pisell.one

comnewcocoffee.com

bitvtag.live

hotelblunt.com

chryslercapitla.com

designrate.art

niacopeland.com

royaltyweb3.com

openai-good.com

mom.rent

brapix.app

pikkwik.com

omilive.com

whdmjse.com

belifprint.com

ncsex6.xyz

vrf70r.online

jbway.com

avtokozmetika.website

info-klar.com

zbk53.com

comfydays.shop

ismagency.biz

shm01.com

horzeplay.com

luxacumen.com

drpathcares.com

steamfulfillmentllc.com

board-evaluations.com

gecreditu.info

aquastarla.net

yjdfw.net

dhjzfs.com

theminco.biz

honeynoel.com

rzkbol.com

anastsy4.tech

botani-yodo1.xyz

Targets

- Target
  
  ae5f04e1939d8ce30342a717d15c99489f9afa411aacfdbc85a4f6af79013694-mod.exe
- Size
  
  848KB
- MD5
  
  f5754653e12482d470ba49e6e4a56456
- SHA1
  
  98d4aae9a159eea640d43ffe6900b25e44d4b5bb
- SHA256
  
  8fddf1605031da46c75a4bcf9a38ac8868fb6ef9519828905f6e8435fa3875a4
- SHA512
  
  2cfd20eeb8daddada5c2cdcc0f28e3baa069bde93ba2ee4dbe776be683019b0d12d29ac40356caa14949290cc0188db67412cbdcd60d89829d8e15a3c792498e
- SSDEEP
  
  12288:rewy0O8ZrzM87QTdAz+VEYemZJbxpDF8VGmGqPBaynlmhGHqsSqyAeugqAPW6ETF:rewDljBa5hCuNZ/A6CgUPv
Score

10^/10

formbook d0a7 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookd0a7persistenceratspywarestealertrojan

behavioral2

formbookd0a7persistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy