formbook | ae818ce7f6c12d22d942ec3af9b9e6b237a7c1f2d62a1bfb6d2dc7f0dac8aff0 | Triage

Sharing

General

Target

ae818ce7f6c12d22d942ec3af9b9e6b237a7c1f2d62a1bfb6d2dc7f0dac8aff0
Size

741KB
Sample

240903-1danbsyepf
MD5

fe955f341bed9ae76c079eadfa74d500
SHA1

315d49a2b722a1c881dd35e6e0f7f0eab6b7ae2a
SHA256

ae818ce7f6c12d22d942ec3af9b9e6b237a7c1f2d62a1bfb6d2dc7f0dac8aff0
SHA512

31bf87a1bf301f91018b90fcf59f3569e60a3c9d5fe3a98046fb94a09de451fd16c66b45e1d55b8b4624ebdc04d747c1289df6d5d571d700def4f737d5e0ea3c
SSDEEP

12288:5x0zjLf30WH0TwOqp09vHIyUdA4fEvhoZbKz7deCthQKl7UnnHf5uiG4:6jj0ywkp4/IyUCQEvhmKvgCthQK1UnH1

Score

10^/10

formbook hy08 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy08

Decoy

weazc.top

servoceimmpajhnuz.info

vqemkdhi.xyz

wergol.com

spa-mk.com

rtpsid88.life

tatetits.fun

raidsa.xyz

suojiansuode.net

jointhejunction.com

wudai.net

typeboot.shop

mksport-app.com

miocloud.ovh

taipan77pandan.com

wwwhg58a.com

khuahamiksai31.pro

carpedatumllc.net

safebinders.com

krx21.com

Targets

- Target
  
  ae818ce7f6c12d22d942ec3af9b9e6b237a7c1f2d62a1bfb6d2dc7f0dac8aff0
- Size
  
  741KB
- MD5
  
  fe955f341bed9ae76c079eadfa74d500
- SHA1
  
  315d49a2b722a1c881dd35e6e0f7f0eab6b7ae2a
- SHA256
  
  ae818ce7f6c12d22d942ec3af9b9e6b237a7c1f2d62a1bfb6d2dc7f0dac8aff0
- SHA512
  
  31bf87a1bf301f91018b90fcf59f3569e60a3c9d5fe3a98046fb94a09de451fd16c66b45e1d55b8b4624ebdc04d747c1289df6d5d571d700def4f737d5e0ea3c
- SSDEEP
  
  12288:5x0zjLf30WH0TwOqp09vHIyUdA4fEvhoZbKz7deCthQKl7UnnHf5uiG4:6jj0ywkp4/IyUCQEvhmKvgCthQK1UnH1
Score

10^/10

formbook hy08 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookhy08discoveryexecutionratspywarestealertrojan

behavioral2

formbookhy08discoveryexecutionratspywarestealertrojan