formbook | 78298d690a8b4d0455d184ca19de0a9f50466f1a88f0da979970230085df30fa | Triage

Sharing

General

Target

087a92aaf0a59bf4f54fafaae7b6a027.bin
Size

561KB
Sample

240803-blbg6axhmm
MD5

fbac3679b5da3a83f23bd73276490ee0
SHA1

bf7736996d67d27c001d69f549e8768d135d6f01
SHA256

78298d690a8b4d0455d184ca19de0a9f50466f1a88f0da979970230085df30fa
SHA512

43699d993d195a49ba1ccb6dcd25973e2c50e351f152000b33b454ff715edb9ff9ac0b578d0b1ffce37eca3c1ac5fb696a20f726c2fdbb49fe3cdfbb8fd5c2a8
SSDEEP

12288:FHTyd+EVnGqDv6kotzQHirCJlAxV2XFF43XFHpinH4QAmZk:FTbWfCkkciWJYe43enk

Score

10^/10

formbook as89 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

as89

Decoy

followcb.site

salutemanagement.com

shishiganggang.com

vanthuhay.xyz

nujekos.info

duckylucknodepositbonus.icu

ilemuelgroup.com

healnap.com

rezekitoto41.com

magicians-amino.click

fqr4dh.club

00050153.xyz

touchless-scoreboard.com

journaganstruevalue.com

connectingconcepts.biz

winraja88.com

mezcantina.com

cosmosfashions.com

dltholdingsandinvestments.com

vonlineb.com

Targets

- Target
  
  09f80e5b22639c198be1ef13793c7a0ade764ed89b20a0f09ab0830f3d77eaef.exe
- Size
  
  608KB
- MD5
  
  087a92aaf0a59bf4f54fafaae7b6a027
- SHA1
  
  a00135a4131ee743347f0ca3b3ac14427d008360
- SHA256
  
  09f80e5b22639c198be1ef13793c7a0ade764ed89b20a0f09ab0830f3d77eaef
- SHA512
  
  3647d3c39bf93e5d6b429392296e469218d855e41894545a91fd51a5dbae5830784506a4c224e106824131e312c47944cf07b23b594d6de5e0b5eabec5cf5d1f
- SSDEEP
  
  12288:VV8wtNDc2pZ/Mrr8ya2DG/ARyQg5f5Yk/Z3qOoUD6QA:fFcmZErIZ0zg59R3qNAl
Score

10^/10

formbook as89 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookas89discoveryexecutionratspywarestealertrojan

behavioral2

formbookas89discoveryexecutionratspywarestealertrojan