formbook | 74c4d6a99f78d9829a76d6c59656f76c6e8a0087baab2a1395d31f4b6522b27e | Triage

Sharing

General

Target

19df4a6e35fc54bd0afb078f875b9690_NeikiAnalytics.exe
Size

691KB
Sample

240526-wdqmbsfc79
MD5

19df4a6e35fc54bd0afb078f875b9690
SHA1

3d22765346d1eba931a490082f36c90136018c05
SHA256

74c4d6a99f78d9829a76d6c59656f76c6e8a0087baab2a1395d31f4b6522b27e
SHA512

d1723e3c48d3f8c5a4023dfd22e1f120af5648021aeebd9c1425d0319e87c1decf62d77d3c299da9932a22009af2d8f45356136d2e679ca8c281b6efb40ce273
SSDEEP

12288:MWOTNXc3RounBAFnSS2/5hDiE+Xd3OWsN8/uOC5Ix8L+DLXsX9CpCB2:L3auBqSSSrDTm3WerC5W8ssf2

Score

10^/10

formbook bp31 execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bp31

Decoy

hp68b.top

rajawali99pkv.com

cisseoriginals.com

pedchain.com

affibook.com

nudtnrg.com

lems.cloud

tipozaa.store

theamalliance.com

massalit.com

houysdegsesag.top

eseventplanning.com

wxt82.xyz

supportonlineinfo.online

genee.store

nohu247.pro

cartx.store

acomunicacaorestaura.store

249b871ab7d2.info

surantools.com

Targets

- Target
  
  19df4a6e35fc54bd0afb078f875b9690_NeikiAnalytics.exe
- Size
  
  691KB
- MD5
  
  19df4a6e35fc54bd0afb078f875b9690
- SHA1
  
  3d22765346d1eba931a490082f36c90136018c05
- SHA256
  
  74c4d6a99f78d9829a76d6c59656f76c6e8a0087baab2a1395d31f4b6522b27e
- SHA512
  
  d1723e3c48d3f8c5a4023dfd22e1f120af5648021aeebd9c1425d0319e87c1decf62d77d3c299da9932a22009af2d8f45356136d2e679ca8c281b6efb40ce273
- SSDEEP
  
  12288:MWOTNXc3RounBAFnSS2/5hDiE+Xd3OWsN8/uOC5Ix8L+DLXsX9CpCB2:L3auBqSSSrDTm3WerC5W8ssf2
Score

10^/10

formbook bp31 execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookbp31executionratspywarestealertrojan

behavioral2

formbookbp31executionratspywarestealertrojan