formbook | f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929 | Triage

Sharing

General

Target

f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929.exe
Size

634KB
Sample

240812-bsbfqsyejj
MD5

b848cbbb4d07a75edc0f3bbedeacd096
SHA1

73e77737438539c5f6d8547e9afcc160902a131c
SHA256

f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929
SHA512

16bf768045d05d7eda9352ec39d9dfff6847797213eac991c51536d6fadb51bd550d580ee725357aa08205f7c083ed57071d16ce94659f75d481f8a1e8c77aba
SSDEEP

12288:d0tjlGAiSeURm5CO5OkpIkFSE6oGph+IoI3FocZziba2JGcJ4pelEteiAdkR:olGAOUejF2MSE4h+Iz3FF5Ca2JG2uel0

Score

10^/10

formbook ps15 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ps15

Decoy

57797.asia

jhpwt.net

basketballdrillsforkids.com

zgzf6.rest

casinomaxnodepositbonus.icu

uptocryptonews.com

gomenasorry.com

fortanix.space

stripscity.xyz

genbotdiy.xyz

mayson-wedding.com

neb-hub.net

seancollinsmusic.com

migraine-treatment-57211.bond

prosperawoman.info

tradefairleads.tech

xn--yeminlitercme-6ob.com

xwaveevent.com

fashiontrendshub.xyz

window-replacement-80823.bond

Targets

- Target
  
  f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929.exe
- Size
  
  634KB
- MD5
  
  b848cbbb4d07a75edc0f3bbedeacd096
- SHA1
  
  73e77737438539c5f6d8547e9afcc160902a131c
- SHA256
  
  f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929
- SHA512
  
  16bf768045d05d7eda9352ec39d9dfff6847797213eac991c51536d6fadb51bd550d580ee725357aa08205f7c083ed57071d16ce94659f75d481f8a1e8c77aba
- SSDEEP
  
  12288:d0tjlGAiSeURm5CO5OkpIkFSE6oGph+IoI3FocZziba2JGcJ4pelEteiAdkR:olGAOUejF2MSE4h+Iz3FF5Ca2JG2uel0
Score

10^/10

formbook ps15 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookps15discoveryexecutionratspywarestealertrojan

behavioral2

formbookps15discoveryexecutionratspywarestealertrojan