formbook | d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9 | Triage

Sharing

General

Target

d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9
Size

768KB
Sample

240808-hdecea1akk
MD5

05ef7ade99c5e2d204f44a83481f98df
SHA1

2a055a83e04b1918072c21dbc992caffce466b5e
SHA256

d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9
SHA512

34a6d2cc7ca2da3b30056ceb0541bd5382aede8627e9a1ecf42e0dcac38b12031bbf8a8ccf7532c7b33798f4270353db90ea78ae89acb959af85423d223c3d22
SSDEEP

12288:1IWiyHwQn+eSI+i1PV5gx/aJtWBQo4yK/7HV3aQCFBQR7MMUITRPoqyrAg2XgTPa:mzyHEeSIBb/WJ4dj13aUzUW2hV2wTPdy

Score

10^/10

formbook hy08 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy08

Decoy

weazc.top

servoceimmpajhnuz.info

vqemkdhi.xyz

wergol.com

spa-mk.com

rtpsid88.life

tatetits.fun

raidsa.xyz

suojiansuode.net

jointhejunction.com

wudai.net

typeboot.shop

mksport-app.com

miocloud.ovh

taipan77pandan.com

wwwhg58a.com

khuahamiksai31.pro

carpedatumllc.net

safebinders.com

krx21.com

Targets

- Target
  
  d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9
- Size
  
  768KB
- MD5
  
  05ef7ade99c5e2d204f44a83481f98df
- SHA1
  
  2a055a83e04b1918072c21dbc992caffce466b5e
- SHA256
  
  d4016be0cb5e22645898c576c8e078b2db3dabd8060f5920e710cce59fa81fe9
- SHA512
  
  34a6d2cc7ca2da3b30056ceb0541bd5382aede8627e9a1ecf42e0dcac38b12031bbf8a8ccf7532c7b33798f4270353db90ea78ae89acb959af85423d223c3d22
- SSDEEP
  
  12288:1IWiyHwQn+eSI+i1PV5gx/aJtWBQo4yK/7HV3aQCFBQR7MMUITRPoqyrAg2XgTPa:mzyHEeSIBb/WJ4dj13aUzUW2hV2wTPdy
Score

10^/10

formbook hy08 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookhy08discoveryexecutionratspywarestealertrojan

behavioral2

formbookhy08discoveryexecutionratspywarestealertrojan