formbook | 3b746894d0a71f6162d96d2af36bea8d794d7e23af44c5536fcf97d416510a6e | Triage

Sharing

Copy URL Twitter E-mail

General

Target

f49a18388f070afc8f7a17f6053666ba.exe
Size

718KB
Sample

240509-frzjdsfb49
MD5

f49a18388f070afc8f7a17f6053666ba
SHA1

d1062e2c38badf9aac1a2c2d0bf4ea7f3e07341b
SHA256

3b746894d0a71f6162d96d2af36bea8d794d7e23af44c5536fcf97d416510a6e
SHA512

6557e22c3e5542262cb8d9ae6c1a79a17f8ce2b9666dfab3ea2df5acd8c23bda607358569b75454cb49a3d36448c08a1a671923f27c13b2473d5925842a7cd34
SSDEEP

12288:Me0ReLAfP7wD6ZtqzvBzmAqdse00yzr+zdW4WgxUHPp8RGHwAOovhbuigPc20mk1:Me+537wDAtqFmAq500yuZWfK8QrQh

Score

10^/10

formbook ht3d execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ht3d

Decoy

derlon.net

46gem.vip

bridal-heart-boutique.com

porarquitectura.com

durkal.online

9916k.vip

nativegarden.net

hoodjac.com

coachwunder.com

jutuowangluo.com

frankmontagna.com

jalenx.com

yhxg.net

brasserie-bro.com

whitecoatprivilege.com

sigmadriving.com

inhkipcmacau.com

freediveexperience.com

52iwin.com

aaditt.com

Targets

- Target
  
  f49a18388f070afc8f7a17f6053666ba.exe
- Size
  
  718KB
- MD5
  
  f49a18388f070afc8f7a17f6053666ba
- SHA1
  
  d1062e2c38badf9aac1a2c2d0bf4ea7f3e07341b
- SHA256
  
  3b746894d0a71f6162d96d2af36bea8d794d7e23af44c5536fcf97d416510a6e
- SHA512
  
  6557e22c3e5542262cb8d9ae6c1a79a17f8ce2b9666dfab3ea2df5acd8c23bda607358569b75454cb49a3d36448c08a1a671923f27c13b2473d5925842a7cd34
- SSDEEP
  
  12288:Me0ReLAfP7wD6ZtqzvBzmAqdse00yzr+zdW4WgxUHPp8RGHwAOovhbuigPc20mk1:Me+537wDAtqFmAq500yuZWfK8QrQh
Score

10^/10

formbook ht3d execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookht3dexecutionratspywarestealertrojan

behavioral2

formbookht3dexecutionratspywarestealertrojan