formbook | 93aeb18c52bece32042f39cbce6994036ac8556043fdc335bb3fc1453ce8d74f | Triage

Sharing

General

Target

93aeb18c52bece32042f39cbce6994036ac8556043fdc335bb3fc1453ce8d74f.exe
Size

680KB
Sample

240711-b7zrwavbmg
MD5

207011f0f9e2d8c3ef2d256aa44286b7
SHA1

32239c8cdcbc135cadbccfa0ca93312e6a9a8e71
SHA256

93aeb18c52bece32042f39cbce6994036ac8556043fdc335bb3fc1453ce8d74f
SHA512

7083c82523316980514e9b615e349b3018605f2e02388fb259607248f0f40fa506e279e38fa7d6b8d8249c49f6cc5d9006b2d78b504512ad9ef8106493bb987c
SSDEEP

12288:1Vwp0xC0kU60d7djPR7SCVlxVaPi0xAbY/uVHCJ+yTZ:vwpECfedjPR7SElxVii4AbY/ulMT

Score

10^/10

formbook 45er execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Targets

- Target
  
  93aeb18c52bece32042f39cbce6994036ac8556043fdc335bb3fc1453ce8d74f.exe
- Size
  
  680KB
- MD5
  
  207011f0f9e2d8c3ef2d256aa44286b7
- SHA1
  
  32239c8cdcbc135cadbccfa0ca93312e6a9a8e71
- SHA256
  
  93aeb18c52bece32042f39cbce6994036ac8556043fdc335bb3fc1453ce8d74f
- SHA512
  
  7083c82523316980514e9b615e349b3018605f2e02388fb259607248f0f40fa506e279e38fa7d6b8d8249c49f6cc5d9006b2d78b504512ad9ef8106493bb987c
- SSDEEP
  
  12288:1Vwp0xC0kU60d7djPR7SCVlxVaPi0xAbY/uVHCJ+yTZ:vwpECfedjPR7SElxVii4AbY/ulMT
Score

10^/10

formbook 45er execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbook45erexecutionratspywarestealertrojan

behavioral2

formbook45erexecutionratspywarestealertrojan