formbook | 5b644735c25773e7d18a70b9d20495cf8c0cb8a2541e07e76eda4541d73ad4b2 | Triage

Sharing

General

Target

5b644735c25773e7d18a70b9d20495cf8c0cb8a2541e07e76eda4541d73ad4b2
Size

551KB
Sample

240922-1dl2csxcqk
MD5

2f78dccbe8abc17da8e0a34e33bfdd13
SHA1

b8d7685e0e295d2cb15f383bca20388782a1b263
SHA256

5b644735c25773e7d18a70b9d20495cf8c0cb8a2541e07e76eda4541d73ad4b2
SHA512

84c8b4534933d95a60e0bd99e0555d0a6878bf3e8ab4fd3b958d9345e6799fc200c46996803cfbbe60065e3cae66b016db6279682c5dea49ebb0911598c34840
SSDEEP

12288:KBkp8H/HECC7NEh9x0/2DFc/dlFypqCtaBndBp/fTr:UkpO/ECC7A9x6llKq5R

Score

10^/10

formbook g29o discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g29o

Decoy

edplanethomes.homes

aimin.club

amacheerguide.online

bcddpza.bond

ediamarketplace.online

ynasty.wine

hengsui.top

ousy.fashion

en-mud.xyz

etcall.tech

harity-50528.bond

iski.world

ikelai6.pro

areemeh.info

eitert-suhre-lengerich.audi

959725vkjdngl559.top

73qp28bu.autos

lassiin.shop

audementalplus.online

3win9.cyou

Targets

- Target
  
  5b644735c25773e7d18a70b9d20495cf8c0cb8a2541e07e76eda4541d73ad4b2
- Size
  
  551KB
- MD5
  
  2f78dccbe8abc17da8e0a34e33bfdd13
- SHA1
  
  b8d7685e0e295d2cb15f383bca20388782a1b263
- SHA256
  
  5b644735c25773e7d18a70b9d20495cf8c0cb8a2541e07e76eda4541d73ad4b2
- SHA512
  
  84c8b4534933d95a60e0bd99e0555d0a6878bf3e8ab4fd3b958d9345e6799fc200c46996803cfbbe60065e3cae66b016db6279682c5dea49ebb0911598c34840
- SSDEEP
  
  12288:KBkp8H/HECC7NEh9x0/2DFc/dlFypqCtaBndBp/fTr:UkpO/ECC7A9x6llKq5R
Score

10^/10

formbook g29o discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookg29odiscoveryexecutionratspywarestealertrojan

behavioral2

formbookg29odiscoveryexecutionratspywarestealertrojan