formbook | 676e4dc7f22754ad4bc78e4eff5e6df0a66461e5e6c76fd35b1cd50f099f2aff | Triage

Sharing

General

Target

676e4dc7f22754ad4bc78e4eff5e6df0a66461e5e6c76fd35b1cd50f099f2aff.exe
Size

597KB
Sample

240926-b8hjzstalc
MD5

393af8f9bd1d87aeba174a372501226d
SHA1

bcabfbb12455a619b9e9432bfbeaa8b21a54d2bb
SHA256

676e4dc7f22754ad4bc78e4eff5e6df0a66461e5e6c76fd35b1cd50f099f2aff
SHA512

b24f18a75e9be49940005f453ec043f27624387a2d151269b5edec598ca9ac886b30381d200173251020bd2451b4f99cb62187889f723421d73e828d1b13f793
SSDEEP

12288:kdjpM7DmTGmyn7Ox9CnrOX7jqil2N8JL168bQbW:Ap4Df7OSrOLj6kPI

Score

10^/10

formbook btrd discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

everslane.com

prairieviewelectric.online

dszvhgd.com

papamuch.com

8129k.vip

jeffreestar.gold

bestguestrentals.com

nvzhuang1.net

anangtoto.com

yxfgor.top

practicalpoppers.com

thebestanglephotography.online

koormm.top

criika.net

audioflow.online

380747.net

jiuguanwang.net

bloxequities.com

v321c.com

sugar.monster

Targets

- Target
  
  676e4dc7f22754ad4bc78e4eff5e6df0a66461e5e6c76fd35b1cd50f099f2aff.exe
- Size
  
  597KB
- MD5
  
  393af8f9bd1d87aeba174a372501226d
- SHA1
  
  bcabfbb12455a619b9e9432bfbeaa8b21a54d2bb
- SHA256
  
  676e4dc7f22754ad4bc78e4eff5e6df0a66461e5e6c76fd35b1cd50f099f2aff
- SHA512
  
  b24f18a75e9be49940005f453ec043f27624387a2d151269b5edec598ca9ac886b30381d200173251020bd2451b4f99cb62187889f723421d73e828d1b13f793
- SSDEEP
  
  12288:kdjpM7DmTGmyn7Ox9CnrOX7jqil2N8JL168bQbW:Ap4Df7OSrOLj6kPI
Score

10^/10

formbook btrd discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbtrddiscoveryexecutionratspywarestealertrojan

behavioral2

formbookbtrddiscoveryexecutionratspywarestealertrojan