formbook | f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a | Triage

Sharing

General

Target

f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a
Size

603KB
Sample

240829-fww9tsvfph
MD5

af8c67ecaaf1d8a3c148b3b994738f50
SHA1

ecf9e0b3eca2e745b460caa0513926256fd6ba36
SHA256

f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a
SHA512

2b5abb2587335a4c32ff03d4a4862d36cba51decb9381f71d99e08d1500fda37a91c8304ac36e2555481614c405673d3e6dbb65d5cbb8ed86336c790663c6b24
SSDEEP

12288:cbVVztMJXXiP1ysEXfq28bIV/46we6H4eLt7P5Jqq6f:0ztoXXO1yNfEbQ/4yMF/B6

Score

10^/10

formbook hy08 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy08

Decoy

weazc.top

servoceimmpajhnuz.info

vqemkdhi.xyz

wergol.com

spa-mk.com

rtpsid88.life

tatetits.fun

raidsa.xyz

suojiansuode.net

jointhejunction.com

wudai.net

typeboot.shop

mksport-app.com

miocloud.ovh

taipan77pandan.com

wwwhg58a.com

khuahamiksai31.pro

carpedatumllc.net

safebinders.com

krx21.com

Targets

- Target
  
  f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a
- Size
  
  603KB
- MD5
  
  af8c67ecaaf1d8a3c148b3b994738f50
- SHA1
  
  ecf9e0b3eca2e745b460caa0513926256fd6ba36
- SHA256
  
  f17389114ceadad92245e477bcb03aee1a97f310f816083b6bd918d64230139a
- SHA512
  
  2b5abb2587335a4c32ff03d4a4862d36cba51decb9381f71d99e08d1500fda37a91c8304ac36e2555481614c405673d3e6dbb65d5cbb8ed86336c790663c6b24
- SSDEEP
  
  12288:cbVVztMJXXiP1ysEXfq28bIV/46we6H4eLt7P5Jqq6f:0ztoXXO1yNfEbQ/4yMF/B6
Score

10^/10

discovery execution formbook hy08 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

formbookhy08discoveryexecutionratspywarestealertrojan