formbook | ee6612c011e68b93d85640b5fb919148af358998be27cab54333b0d6c6b8709f | Triage

Sharing

General

Target

ee6612c011e68b93d85640b5fb919148af358998be27cab54333b0d6c6b8709f.rar
Size

582KB
Sample

240531-jvtdbscg27
MD5

87f7a702fac18411117b7bf436a7a45a
SHA1

47ff3f97ada89d813c49be78885e575ee50f75ff
SHA256

ee6612c011e68b93d85640b5fb919148af358998be27cab54333b0d6c6b8709f
SHA512

faded6c15dfa5bb7ae797683e0a20c22a5137d01dba5d6af8e135cb2bf54df16e7c55359c388a0a0bcd130f59e8ef3dc1fc34267296c250627b4e2e8fa5ba1a7
SSDEEP

12288:TFFzU+NlmGdCmju9JR2gW9Gd+Agaw4JHc45xmJm4j8txUc+dpd9:TPzb963RrW92fdw4JcSxmm4j83edf9

Score

10^/10

formbook hd05 execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hd05

Decoy

businessjp6-51399.info

countyyoungpest.com

taxilasamericas.com

stairs.parts

nrgsolutions.us

cbdgirl.guru

dropshunter.net

adorabubble.co.za

alcohomeexteriors.com

aquariusbusiness.info

zaginione.com

pintoresmajadahonda.com

fursace.club

musiletras.co

carpoboutiquehotel.com

redacted.investments

symplywell.me

lezxop.xyz

stmbbill.com

1509068.cc

Targets

- Target
  
  po8909893299832.exe
- Size
  
  612KB
- MD5
  
  8c2635e6c2804ace5c6fa487f5e23a87
- SHA1
  
  334e05486efda6725b100a9365d5017aefb90e22
- SHA256
  
  d6c03cce5773652c4cb266084f901b331550d57a656240d20c288484657cd701
- SHA512
  
  25b40d504047bd3001303c59c72756d7174dc3b0e9731045e2a4cd57907333f4203ab8f2de3f4b99fb96c6ef5217dae764bfcca980583f7375a39714b78dffe6
- SSDEEP
  
  12288:xdJS4VayvR9/7MY12/bsozqhJf6fa8OGawEekrNYoAjjQkR:hScnpFxE/bsB3Si8OyTp3
Score

10^/10

execution formbook hd05 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookhd05executionratspywarestealertrojan