formbook | d722071e87692ef2f7b94aa22e2b5153219dea78de81315b8fdaf18a3dc4cf6a | Triage

Sharing

General

Target

48de7633a9738c2392d6a449f59fcbcb.exe
Size

1.6MB
Sample

240920-kah8asxard
MD5

48de7633a9738c2392d6a449f59fcbcb
SHA1

f30905ce8f900e86f67d27bda53e1e8e42885356
SHA256

d722071e87692ef2f7b94aa22e2b5153219dea78de81315b8fdaf18a3dc4cf6a
SHA512

e8976d81a2d0039a90ccb5ddfc5dc86e541b59625a0f3901e6e3a422e1873290f8bcc936fa27b53b56411c9fc98bb7eac90f58c9b31d2d2c6750a40dece0bea2
SSDEEP

49152:IAodtaG9kS2U84B+FLan9k5TRM9zlFVjrW22:Y/B1x2

Score

10^/10

formbook kmge credential_access discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

- Target
  
  48de7633a9738c2392d6a449f59fcbcb.exe
- Size
  
  1.6MB
- MD5
  
  48de7633a9738c2392d6a449f59fcbcb
- SHA1
  
  f30905ce8f900e86f67d27bda53e1e8e42885356
- SHA256
  
  d722071e87692ef2f7b94aa22e2b5153219dea78de81315b8fdaf18a3dc4cf6a
- SHA512
  
  e8976d81a2d0039a90ccb5ddfc5dc86e541b59625a0f3901e6e3a422e1873290f8bcc936fa27b53b56411c9fc98bb7eac90f58c9b31d2d2c6750a40dece0bea2
- SSDEEP
  
  49152:IAodtaG9kS2U84B+FLan9k5TRM9zlFVjrW22:Y/B1x2
Score

10^/10

formbook kmge credential_access discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookkmgecredential_accessdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookkmgeexecutionratspywarestealertrojan