formbook | ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6 | Triage

Sharing

General

Target

ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6.exe
Size

1.1MB
Sample

240803-cwl73svdke
MD5

9a2a86186b5ee6d85c0dfe909e310552
SHA1

79708082f50cca5c53860aa6bfc404e2762e4044
SHA256

ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6
SHA512

3654142511c651853f4d27abb8780a7c2ceecb3a96843e0de258d1f4234a8d04f6ba015a4ecf5958152778b37195e9aef57f00140be22c9d7591def90a10d20b
SSDEEP

24576:bf+6UNxk0J9Wq3B8VkkogaAlQj+HbvG13BFt:bG6U80Jkq3B8VzogaokYvGpt

Score

10^/10

formbook v15n discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

v15n

Decoy

dyahwoahjuk.store

toysstorm.com

y7rak9.com

2222233p6.shop

betbox2341.com

visualvarta.com

nijssenadventures.com

main-12.site

leng4d.net

kurainu.xyz

hatesa.xyz

culturamosaica.com

supermallify.store

gigboard.app

rxforgive.com

ameliestones.com

kapalwin.live

tier.credit

sobol-ksa.com

faredeal.online

Targets

- Target
  
  ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6.exe
- Size
  
  1.1MB
- MD5
  
  9a2a86186b5ee6d85c0dfe909e310552
- SHA1
  
  79708082f50cca5c53860aa6bfc404e2762e4044
- SHA256
  
  ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6
- SHA512
  
  3654142511c651853f4d27abb8780a7c2ceecb3a96843e0de258d1f4234a8d04f6ba015a4ecf5958152778b37195e9aef57f00140be22c9d7591def90a10d20b
- SSDEEP
  
  24576:bf+6UNxk0J9Wq3B8VkkogaAlQj+HbvG13BFt:bG6U80Jkq3B8VzogaokYvGpt
Score

10^/10

formbook v15n discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookv15ndiscoveryexecutionratspywarestealertrojan

behavioral2

formbookv15ndiscoveryexecutionratspywarestealertrojan