formbook | bea519bede37f69c08d5d41612b0709231242a62f6a099433c783bef5d40b02a | Triage

Sharing

General

Target

bea519bede37f69c08d5d41612b0709231242a62f6a099433c783bef5d40b02a.exe
Size

549KB
Sample

240531-bws5ysbb52
MD5

3b8109a47ed68232b0bff1bdaf39c33a
SHA1

56a00c74e584b1b62c3338d45cad0932a106e9ff
SHA256

bea519bede37f69c08d5d41612b0709231242a62f6a099433c783bef5d40b02a
SHA512

2e3dc37800d0397d2f40d935c59a493088446d577bb8b0f45547935603ccaab1dad65a20985afcbd1f3ef9d631247d74b7085812a9ae5556fd83bf71a13fb18c
SSDEEP

12288:VkkKkXdrJwKcIL0ERnQQSoX9K4KpzaC8QApCnQmxaM:1cHCQboX9KxpsQAp

Score

10^/10

formbook lokibot dn03 collection execution rat spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://45.61.137.215/index.php/3b1tenbkyj

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Version

4.1

Campaign

dn03

Decoy

almouranipainting.com

cataloguia.shop

zaparielectric.com

whcqsc.com

ioco.in

aduredmond.com

vavada611a.fun

humtivers.com

jewellerytml.com

mcapitalparticipacoes.com

inhlcq.shop

solanamall.xyz

moviepropgroup.com

thegenesis.ltd

cyberxdefend.com

skinbykoco.com

entermintlead.com

honestaireviews.com

wyclhj7gqfustzp.buzz

w937xb.com

Targets

- Target
  
  bea519bede37f69c08d5d41612b0709231242a62f6a099433c783bef5d40b02a.exe
- Size
  
  549KB
- MD5
  
  3b8109a47ed68232b0bff1bdaf39c33a
- SHA1
  
  56a00c74e584b1b62c3338d45cad0932a106e9ff
- SHA256
  
  bea519bede37f69c08d5d41612b0709231242a62f6a099433c783bef5d40b02a
- SHA512
  
  2e3dc37800d0397d2f40d935c59a493088446d577bb8b0f45547935603ccaab1dad65a20985afcbd1f3ef9d631247d74b7085812a9ae5556fd83bf71a13fb18c
- SSDEEP
  
  12288:VkkKkXdrJwKcIL0ERnQQSoX9K4KpzaC8QApCnQmxaM:1cHCQboX9KxpsQAp
Score

10^/10

lokibot collection execution spyware stealer trojan formbook dn03 rat
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionexecutionspywarestealertrojan

behavioral2

formbooklokibotdn03collectionexecutionratspywarestealertrojan