formbook | 72997c981fef64ed3cf79ffa5b2a496aca59fbefd54f7585049f71d69de1fe52 | Triage

Sharing

General

Target

72997c981fef64ed3cf79ffa5b2a496aca59fbefd54f7585049f71d69de1fe52.exe
Size

634KB
Sample

240812-bkl79sybjm
MD5

dff2a4f9c0e8469a1829ab1f39668856
SHA1

77a56409876a9c0c33fd59a070a21c8ee1b18a92
SHA256

72997c981fef64ed3cf79ffa5b2a496aca59fbefd54f7585049f71d69de1fe52
SHA512

aff25af1d0a6bf6ebf9aeb5758214c9a0dd559e7a7d5bb2330ed07e6d06e6f2c5169dcb71176366c7eb75d925c72631a3c471fb1e3239c56dc8e87e71804451e
SSDEEP

12288:OZCxSBAiSeURm5+Y7o0amp+ztqlACErYz4BjNA314OSxfmMNfDmvAwkR:bxSBAOUe+Y7o0CRBdrPk14bFN7eA3

Score

10^/10

formbook sy52 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sy52

Decoy

wxxj.asia

emu-oil.online

theprogressiontalks.com

saigonvape.com

cb257.pro

inucana.com

xn--pdr89n.vip

vtc.bzh

connexionsink.com

mastersofthevibes.com

mallsetuae.shop

bellaandbling.com

wagi88.one

273618.bid

japanvietnam-mall.com

lkd1t.rest

oflgjgiq.xyz

calliblography.com

idz8u.vip

marrybears.com

Targets

- Target
  
  72997c981fef64ed3cf79ffa5b2a496aca59fbefd54f7585049f71d69de1fe52.exe
- Size
  
  634KB
- MD5
  
  dff2a4f9c0e8469a1829ab1f39668856
- SHA1
  
  77a56409876a9c0c33fd59a070a21c8ee1b18a92
- SHA256
  
  72997c981fef64ed3cf79ffa5b2a496aca59fbefd54f7585049f71d69de1fe52
- SHA512
  
  aff25af1d0a6bf6ebf9aeb5758214c9a0dd559e7a7d5bb2330ed07e6d06e6f2c5169dcb71176366c7eb75d925c72631a3c471fb1e3239c56dc8e87e71804451e
- SSDEEP
  
  12288:OZCxSBAiSeURm5+Y7o0amp+ztqlACErYz4BjNA314OSxfmMNfDmvAwkR:bxSBAOUe+Y7o0CRBdrPk14bFN7eA3
Score

10^/10

formbook sy52 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooksy52discoveryexecutionratspywarestealertrojan

behavioral2

formbooksy52discoveryexecutionratspywarestealertrojan