Extracted

• • Target

    ee118f8e57acfa0e476638a011ed8d6664d1499e1b326180e21e6f9834ea93e0.exe

  • Size

    597KB

  • MD5

    a2082543a1c1028dd0a613a6a2af4d21

  • SHA1

    b6fff58598fad2366a05c18d2d3ccf00f7403391

  • SHA256

    ee118f8e57acfa0e476638a011ed8d6664d1499e1b326180e21e6f9834ea93e0

  • SHA512

    0dad8d8910dfe0d567477c00a1ded696f5ad582fa671731480ae0d8662994a44f61af23373d3c90b44979fb4a6c3fc47ac5f0123442b9af48283ba4fe7a03370

  • SSDEEP

    12288:u8EaxDW9G3pwB8uVR8WMQSiWLog+ggWgadajFCMQYcnNdhyq71724Lt:FEaxD31YOW5CzWUTN6E1R

  Score

  10^/10

  formbookrn94discoveryexecutionratspywarestealertrojan

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook

  • Formbook payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2