formbook | ef035eed65c7665830415f30f12204f4a0c2b83a0bb6af5edeaccf57bef523d2 | Triage

Sharing

General

Target

ef035eed65c7665830415f30f12204f4a0c2b83a0bb6af5edeaccf57bef523d2
Size

603KB
Sample

240728-gvfq5a1hpr
MD5

fd1dcbb1f74609232fde7b39e4938378
SHA1

854320af37e5728501b936dd0494bd1fc62cdc14
SHA256

ef035eed65c7665830415f30f12204f4a0c2b83a0bb6af5edeaccf57bef523d2
SHA512

30527125491198020fed44960a54d61f462480d8f169ab5e239e92e80c5a98176a0743ef7a40d79f9aeaeea0e1319d6c59a6567d36b6c2cd2ba7f0c1f0735e51
SSDEEP

12288:5DfBbKhaPW6uZ0YTAA+vMRh1b9evQ/8RtkubA/gIeI1fsfaJ:59b99jYTA9Mff1hubAgP7fa

Score

10^/10

formbook pz12 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pz12

Decoy

paucanyes.com

autonwheels.com

cowboysandcaviarbar.com

fitnessengineeredworkouts.com

nuevobajonfavorito.com

dflx8.com

rothability.com

sxybet88.com

onesource.live

brenjitu1904.com

airdrop-zero1labs.com

guangdongqiangzhetc.com

apartments-for-rent-72254.bond

ombak99.lol

qqfoodsolutions.com

kyyzz.com

thepicklematch.com

ainth.com

missorris.com

gabbygomez.com

Targets

- Target
  
  ef035eed65c7665830415f30f12204f4a0c2b83a0bb6af5edeaccf57bef523d2
- Size
  
  603KB
- MD5
  
  fd1dcbb1f74609232fde7b39e4938378
- SHA1
  
  854320af37e5728501b936dd0494bd1fc62cdc14
- SHA256
  
  ef035eed65c7665830415f30f12204f4a0c2b83a0bb6af5edeaccf57bef523d2
- SHA512
  
  30527125491198020fed44960a54d61f462480d8f169ab5e239e92e80c5a98176a0743ef7a40d79f9aeaeea0e1319d6c59a6567d36b6c2cd2ba7f0c1f0735e51
- SSDEEP
  
  12288:5DfBbKhaPW6uZ0YTAA+vMRh1b9evQ/8RtkubA/gIeI1fsfaJ:59b99jYTA9Mff1hubAgP7fa
Score

10^/10

formbook pz12 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookpz12discoveryexecutionratspywarestealertrojan

behavioral2

formbookpz12discoveryexecutionratspywarestealertrojan