formbook | 0e4890952f2506c3cd0124d53fa0c39f2cdaf432c2be5f3ac6257793013e618b | Triage

Sharing

General

Target

8e23f17a28191c04596391464d43870c.exe
Size

2.1MB
Sample

240912-x5dbrazhqd
MD5

8e23f17a28191c04596391464d43870c
SHA1

91e7b1e075aaf6ad3ce2fea102d4a31dea2e446e
SHA256

0e4890952f2506c3cd0124d53fa0c39f2cdaf432c2be5f3ac6257793013e618b
SHA512

bf9e5cee8ae9f612e3204d8343cdf11998b304673c7ecae1682de999b55d58b5632e2bff8b9893c284c1fa9cd1da618e9c3e0033214319bf1dda91b0a8f6211f
SSDEEP

49152:xfDe+fmH7RRZ1UW84VCyH+4FAGqnx+lg3jszH8u1BbSCg3E16su:xfDQQsNJT16su

Score

10^/10

formbook kmge credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

- Target
  
  8e23f17a28191c04596391464d43870c.exe
- Size
  
  2.1MB
- MD5
  
  8e23f17a28191c04596391464d43870c
- SHA1
  
  91e7b1e075aaf6ad3ce2fea102d4a31dea2e446e
- SHA256
  
  0e4890952f2506c3cd0124d53fa0c39f2cdaf432c2be5f3ac6257793013e618b
- SHA512
  
  bf9e5cee8ae9f612e3204d8343cdf11998b304673c7ecae1682de999b55d58b5632e2bff8b9893c284c1fa9cd1da618e9c3e0033214319bf1dda91b0a8f6211f
- SSDEEP
  
  49152:xfDe+fmH7RRZ1UW84VCyH+4FAGqnx+lg3jszH8u1BbSCg3E16su:xfDQQsNJT16su
Score

10^/10

formbook kmge credential_access discovery execution persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookkmgecredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

behavioral2

formbookkmgeexecutionpersistenceratspywarestealertrojan