formbook | 8d68ad78eb364b147233b29bbeab6309a47289090ca2672e90fb299a37111f62 | Triage

Sharing

General

Target

8d68ad78eb364b147233b29bbeab6309a47289090ca2672e90fb299a37111f62.exe
Size

783KB
Sample

240810-bwyenstcnf
MD5

9b27789c9feb9bddebfee2519a9b64d7
SHA1

36dbadc4856937b197e467a7ef8ccbfb329d19bb
SHA256

8d68ad78eb364b147233b29bbeab6309a47289090ca2672e90fb299a37111f62
SHA512

bbb60df42f05faa819644b8204ac02dfcbb0d3a76ff956518ae3803084a6454d42c7f3df1d118e7ae8437eae03586ca27c666a3dcadecd048328632936aa0e5f
SSDEEP

24576:KP9a8MbV6y2KYpA5IM8UCC4DIyNm3Czh17:9bVOhUEMov

Score

10^/10

formbook ps15 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ps15

Decoy

57797.asia

jhpwt.net

basketballdrillsforkids.com

zgzf6.rest

casinomaxnodepositbonus.icu

uptocryptonews.com

gomenasorry.com

fortanix.space

stripscity.xyz

genbotdiy.xyz

mayson-wedding.com

neb-hub.net

seancollinsmusic.com

migraine-treatment-57211.bond

prosperawoman.info

tradefairleads.tech

xn--yeminlitercme-6ob.com

xwaveevent.com

fashiontrendshub.xyz

window-replacement-80823.bond

Targets

- Target
  
  8d68ad78eb364b147233b29bbeab6309a47289090ca2672e90fb299a37111f62.exe
- Size
  
  783KB
- MD5
  
  9b27789c9feb9bddebfee2519a9b64d7
- SHA1
  
  36dbadc4856937b197e467a7ef8ccbfb329d19bb
- SHA256
  
  8d68ad78eb364b147233b29bbeab6309a47289090ca2672e90fb299a37111f62
- SHA512
  
  bbb60df42f05faa819644b8204ac02dfcbb0d3a76ff956518ae3803084a6454d42c7f3df1d118e7ae8437eae03586ca27c666a3dcadecd048328632936aa0e5f
- SSDEEP
  
  24576:KP9a8MbV6y2KYpA5IM8UCC4DIyNm3Czh17:9bVOhUEMov
Score

10^/10

formbook ps15 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookps15discoveryexecutionratspywarestealertrojan

behavioral2

formbookps15discoveryexecutionratspywarestealertrojan