formbook | 2d9e008828a19f6329b2ca4abcfdefa9b124e1eb5eb3270be8b6f1f77476b3d1 | Triage

Sharing

General

Target

2d9e008828a19f6329b2ca4abcfdefa9b124e1eb5eb3270be8b6f1f77476b3d1.exe
Size

1.6MB
Sample

241008-qfhfvasckc
MD5

fe3ab433cdc30a005e1616af15a6b0e9
SHA1

a7d6e4d912d4d5b4dbfd0703a8af467d18f7b4ed
SHA256

2d9e008828a19f6329b2ca4abcfdefa9b124e1eb5eb3270be8b6f1f77476b3d1
SHA512

a3c14f1568054ac17c6e8ed4cd0b811013bf6ddfb4d1e309edcfca7b791d122866db4adb621932cd6b762742331662b64f3ff1832b7c31fbffb191563ab7f75e
SSDEEP

49152:wAodtaG9kS2U84B+FLan9k5TRM9zloVj8Hn:Q/B1r

Score

10^/10

formbook gy15 discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy15

Decoy

hairsdeals.today

acob-saaad.buzz

9955.club

gild6222.vip

nline-shopping-56055.bond

lmadulles.top

utemodels.info

ighdd4675.online

nqqkk146.xyz

avasales.online

ortas-de-madeira.today

haad.xyz

races-dental-splints-15439.bond

hilohcreekpemf.online

rrivalgetaways.info

orktoday-2507-02-sap.click

eceriyayinlari.xyz

lsurfer.click

aston-saaae.buzz

etrot.pro

Targets

- Target
  
  2d9e008828a19f6329b2ca4abcfdefa9b124e1eb5eb3270be8b6f1f77476b3d1.exe
- Size
  
  1.6MB
- MD5
  
  fe3ab433cdc30a005e1616af15a6b0e9
- SHA1
  
  a7d6e4d912d4d5b4dbfd0703a8af467d18f7b4ed
- SHA256
  
  2d9e008828a19f6329b2ca4abcfdefa9b124e1eb5eb3270be8b6f1f77476b3d1
- SHA512
  
  a3c14f1568054ac17c6e8ed4cd0b811013bf6ddfb4d1e309edcfca7b791d122866db4adb621932cd6b762742331662b64f3ff1832b7c31fbffb191563ab7f75e
- SSDEEP
  
  49152:wAodtaG9kS2U84B+FLan9k5TRM9zloVj8Hn:Q/B1r
Score

10^/10

formbook gy15 discovery execution persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookgy15discoveryexecutionpersistenceratspywarestealertrojan

behavioral2

formbookgy15discoveryexecutionratspywarestealertrojan