formbook | 90fdf55b14e521049fce00f26fe2a9ef8880f41862c6dbec38d275189797c501 | Triage

Sharing

General

Target

cff39149d540e851536383f64d5f5568.bin
Size

488KB
Sample

240531-dk6ysach7s
MD5

6e1019a31aad52ab251d55e4809a2d16
SHA1

5d0fee4c10db01af52a15bf69c322b21efd2e02e
SHA256

90fdf55b14e521049fce00f26fe2a9ef8880f41862c6dbec38d275189797c501
SHA512

6375502e1f3d72cc0d9f5f3a563e0d5bb26fcfbb54b54f3e4397df81c58fe5f749c996cb90355b1836d3a24dd9c03ba1cbcca4be20ed1c89c7ab90f5a860c978
SSDEEP

6144:5oPtacUzfLHD49jg/dHuLl+uEWVC7l4HvYS2j6StIXwLhXYhy/yjRWhAMqEyIO+h:5X7Eanu0OHwSS6S4wVWEhI0TXqR9bg

Score

10^/10

formbook lokibot dn03 collection execution rat spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://45.61.137.215/index.php/3b1tenbkyj

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Version

4.1

Campaign

dn03

Decoy

almouranipainting.com

cataloguia.shop

zaparielectric.com

whcqsc.com

ioco.in

aduredmond.com

vavada611a.fun

humtivers.com

jewellerytml.com

mcapitalparticipacoes.com

inhlcq.shop

solanamall.xyz

moviepropgroup.com

thegenesis.ltd

cyberxdefend.com

skinbykoco.com

entermintlead.com

honestaireviews.com

wyclhj7gqfustzp.buzz

w937xb.com

Targets

- Target
  
  795af0703ab2ab7cfcfcc38449e7da1a20967be437e5877ee27da317b3991357.exe
- Size
  
  512KB
- MD5
  
  cff39149d540e851536383f64d5f5568
- SHA1
  
  2cd49c6f28ecea254e22a75e3e77092a67d26774
- SHA256
  
  795af0703ab2ab7cfcfcc38449e7da1a20967be437e5877ee27da317b3991357
- SHA512
  
  0f3eb77eb9396ec5ec63fc166e12167bf651e433b5c7831935ed2c965eed85b94b9893e6d20d207473f126b273f60c4b6378859b85613cc630acd7c7b70a6ba6
- SSDEEP
  
  12288:UidJS4V9ulMb8Z6j2B0TM4kQhrLO9rAq7BH7Q4a2Y4tS87W:5ScN4ZsvTM4DhXfIBUa17W
Score

10^/10

lokibot collection execution spyware stealer trojan formbook dn03 rat
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionexecutionspywarestealertrojan

behavioral2

formbooklokibotdn03collectionexecutionratspywarestealertrojan