formbook | 7230fedad9b1999e55841868a75082f735cf510b5c0cd3659746c90ba4d178d8 | Triage

Sharing

General

Target

7230fedad9b1999e55841868a75082f735cf510b5c0cd3659746c90ba4d178d8.exe
Size

824KB
Sample

241010-b54m2szbln
MD5

681c16a3a587aa1bc8041d068d03c75a
SHA1

8a32b2e4e5542234a43761516751c926795c7218
SHA256

7230fedad9b1999e55841868a75082f735cf510b5c0cd3659746c90ba4d178d8
SHA512

13ba066b977ae3664055fa4a48ec1298cf3beb113e6de4404620bca4b0ba1bcf67c73ea908c94ae6f734dddf4343ab091cf4b7950408c7aa96beb1791d30d2d2
SSDEEP

24576:bq/KMd/wQUyggtrlDMQJQpugkSAyxldMT4s5PF/xT52zUwivB1:WSAyz6Xd/x12zUtp

Score

10^/10

formbook gwdv discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gwdv

Decoy

boyxlife.cyou

v9.delivery

intelliflow.run

gstech.cloud

qzbqtu.cyou

splunk-test.dev

nasocnite.xyz

outdooradventuregearhub511.shop

uptobisone.website

andyouwannafuck.cloud

blancslatespeedshop.com

technical.cash

highercall.net

incronizid.dev

tzx9y.rest

brakpanbrand.net

stimna.love

thefarmerzpizza.info

full4d.net

lingerie-16071.bond

Targets

- Target
  
  7230fedad9b1999e55841868a75082f735cf510b5c0cd3659746c90ba4d178d8.exe
- Size
  
  824KB
- MD5
  
  681c16a3a587aa1bc8041d068d03c75a
- SHA1
  
  8a32b2e4e5542234a43761516751c926795c7218
- SHA256
  
  7230fedad9b1999e55841868a75082f735cf510b5c0cd3659746c90ba4d178d8
- SHA512
  
  13ba066b977ae3664055fa4a48ec1298cf3beb113e6de4404620bca4b0ba1bcf67c73ea908c94ae6f734dddf4343ab091cf4b7950408c7aa96beb1791d30d2d2
- SSDEEP
  
  24576:bq/KMd/wQUyggtrlDMQJQpugkSAyxldMT4s5PF/xT52zUwivB1:WSAyz6Xd/x12zUtp
Score

10^/10

formbook gwdv discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookgwdvdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookgwdvdiscoveryexecutionratspywarestealertrojan