formbook | 25d0a78ee9fc50454f08884af6374a87b077152247b224755c75449e29ee7475 | Triage

Sharing

General

Target

25d0a78ee9fc50454f08884af6374a87b077152247b224755c75449e29ee7475.exe
Size

1.6MB
Sample

241010-bpv1zatbrf
MD5

e0fc2a14655283b54a975b61912aadc8
SHA1

0ac8275cd89eddf852c3ffd8d5b7e4a58e4f32bd
SHA256

25d0a78ee9fc50454f08884af6374a87b077152247b224755c75449e29ee7475
SHA512

d139ca854b8132e9095d9cea2abff4b62ed1dc2cc3cc674606d52d2692d73c98472a38e17733c9f81e77ec84dbeb02d0d4ab5ebedc494cb1eb3128551efb6cd5
SSDEEP

49152:wAodtaG9kS2U84B+FLan9k5TRM9zlEVjkfNlo:Q/B19Vm

Score

10^/10

formbook gy15 discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy15

Decoy

hairsdeals.today

acob-saaad.buzz

9955.club

gild6222.vip

nline-shopping-56055.bond

lmadulles.top

utemodels.info

ighdd4675.online

nqqkk146.xyz

avasales.online

ortas-de-madeira.today

haad.xyz

races-dental-splints-15439.bond

hilohcreekpemf.online

rrivalgetaways.info

orktoday-2507-02-sap.click

eceriyayinlari.xyz

lsurfer.click

aston-saaae.buzz

etrot.pro

Targets

- Target
  
  25d0a78ee9fc50454f08884af6374a87b077152247b224755c75449e29ee7475.exe
- Size
  
  1.6MB
- MD5
  
  e0fc2a14655283b54a975b61912aadc8
- SHA1
  
  0ac8275cd89eddf852c3ffd8d5b7e4a58e4f32bd
- SHA256
  
  25d0a78ee9fc50454f08884af6374a87b077152247b224755c75449e29ee7475
- SHA512
  
  d139ca854b8132e9095d9cea2abff4b62ed1dc2cc3cc674606d52d2692d73c98472a38e17733c9f81e77ec84dbeb02d0d4ab5ebedc494cb1eb3128551efb6cd5
- SSDEEP
  
  49152:wAodtaG9kS2U84B+FLan9k5TRM9zlEVjkfNlo:Q/B19Vm
Score

10^/10

formbook gy15 discovery execution persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookgy15discoveryexecutionpersistenceratspywarestealertrojan

behavioral2

formbookgy15discoveryexecutionratspywarestealertrojan