formbook | d6c03cce5773652c4cb266084f901b331550d57a656240d20c288484657cd701 | Triage

Sharing

General

Target

po8909893299832.exe
Size

612KB
Sample

240530-k2qfpace9t
MD5

8c2635e6c2804ace5c6fa487f5e23a87
SHA1

334e05486efda6725b100a9365d5017aefb90e22
SHA256

d6c03cce5773652c4cb266084f901b331550d57a656240d20c288484657cd701
SHA512

25b40d504047bd3001303c59c72756d7174dc3b0e9731045e2a4cd57907333f4203ab8f2de3f4b99fb96c6ef5217dae764bfcca980583f7375a39714b78dffe6
SSDEEP

12288:xdJS4VayvR9/7MY12/bsozqhJf6fa8OGawEekrNYoAjjQkR:hScnpFxE/bsB3Si8OyTp3

Score

10^/10

formbook hd05 execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hd05

Decoy

businessjp6-51399.info

countyyoungpest.com

taxilasamericas.com

stairs.parts

nrgsolutions.us

cbdgirl.guru

dropshunter.net

adorabubble.co.za

alcohomeexteriors.com

aquariusbusiness.info

zaginione.com

pintoresmajadahonda.com

fursace.club

musiletras.co

carpoboutiquehotel.com

redacted.investments

symplywell.me

lezxop.xyz

stmbbill.com

1509068.cc

Targets

- Target
  
  po8909893299832.exe
- Size
  
  612KB
- MD5
  
  8c2635e6c2804ace5c6fa487f5e23a87
- SHA1
  
  334e05486efda6725b100a9365d5017aefb90e22
- SHA256
  
  d6c03cce5773652c4cb266084f901b331550d57a656240d20c288484657cd701
- SHA512
  
  25b40d504047bd3001303c59c72756d7174dc3b0e9731045e2a4cd57907333f4203ab8f2de3f4b99fb96c6ef5217dae764bfcca980583f7375a39714b78dffe6
- SSDEEP
  
  12288:xdJS4VayvR9/7MY12/bsozqhJf6fa8OGawEekrNYoAjjQkR:hScnpFxE/bsB3Si8OyTp3
Score

10^/10

formbook hd05 execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookhd05executionratspywarestealertrojan

behavioral2

formbookhd05executionratspywarestealertrojan