formbook | 18911c12980ff90d3ca5b456a41ba93f6e63d14efa8763ee354c3684e0632795 | Triage

Sharing

General

Target

18911c12980ff90d3ca5b456a41ba93f6e63d14efa8763ee354c3684e0632795.exe
Size

798KB
Sample

240920-qalajsxfjh
MD5

db7625a1f6c3e496e64476cddde38f61
SHA1

43034a4a3e0c9e36691be73e3d031adf68ff924c
SHA256

18911c12980ff90d3ca5b456a41ba93f6e63d14efa8763ee354c3684e0632795
SHA512

b4905c46b78ff9f880d8c5307d89069ad0d0c91e43dd6b3e9806cf77b39a9b11eace87bdadc0929b98146e5ab41cdda47f897b0ead391ab36091fbb29e0fb95e
SSDEEP

12288:cucFZ6W/vdWvR1/YLReWFabike8lf/yCrUhEaxcYrUx3F+Y1Gd:Fc7NWvPeRl0bike8lfHrUhVcPtMY1Gd

Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

- Target
  
  18911c12980ff90d3ca5b456a41ba93f6e63d14efa8763ee354c3684e0632795.exe
- Size
  
  798KB
- MD5
  
  db7625a1f6c3e496e64476cddde38f61
- SHA1
  
  43034a4a3e0c9e36691be73e3d031adf68ff924c
- SHA256
  
  18911c12980ff90d3ca5b456a41ba93f6e63d14efa8763ee354c3684e0632795
- SHA512
  
  b4905c46b78ff9f880d8c5307d89069ad0d0c91e43dd6b3e9806cf77b39a9b11eace87bdadc0929b98146e5ab41cdda47f897b0ead391ab36091fbb29e0fb95e
- SSDEEP
  
  12288:cucFZ6W/vdWvR1/YLReWFabike8lf/yCrUhEaxcYrUx3F+Y1Gd:Fc7NWvPeRl0bike8lfHrUhVcPtMY1Gd
Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbc01discoveryexecutionratspywarestealertrojan

behavioral2

formbookbc01discoveryexecutionratspywarestealertrojan