formbook | 0494f0bd0225edd027f43a581e4504d0b73fadac437c809dce717c0d159cf1e8 | Triage

Sharing

General

Target

0494f0bd0225edd027f43a581e4504d0b73fadac437c809dce717c0d159cf1e8.exe
Size

750KB
Sample

241010-ldak1aycpm
MD5

b3c5debaee5fc3162ebe21ff4348ba10
SHA1

11f4c3c6dbb5cbe09d150acfad464f00ef2fc5f8
SHA256

0494f0bd0225edd027f43a581e4504d0b73fadac437c809dce717c0d159cf1e8
SHA512

cd104a78378581b9e9d9fad9618fe212febf62097cb134cef8b4dbf980065c389e67218ac7c2f78a88aa6eea249a4d0db7651bb9b9db09c29afc248c2c6c94e9
SSDEEP

12288:6umEhatVMuUcAzRpYooXxSBj3mnkvoBAllR7YMpv3dFcUH:UEKTIpYt03HvomfR7YqtS

Score

10^/10

formbook ga06 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ga06

Decoy

y1rmgv9c.top

orlifebasma.online

ocxxcakkejka.online

ealthcaretrendstr.bond

quitemtudo.online

oeziad.net

afelajuzq.shop

andasia.net

4web.info

acingdreams.xyz

fcpc.sbs

pin238rtp.lol

olar-systems-panels-91358.bond

ovember222.vip

01639.xyz

xfundz.top

illsol.top

rerise.shop

eavenlavvi.net

rtificial-turf23.online

Targets

- Target
  
  0494f0bd0225edd027f43a581e4504d0b73fadac437c809dce717c0d159cf1e8.exe
- Size
  
  750KB
- MD5
  
  b3c5debaee5fc3162ebe21ff4348ba10
- SHA1
  
  11f4c3c6dbb5cbe09d150acfad464f00ef2fc5f8
- SHA256
  
  0494f0bd0225edd027f43a581e4504d0b73fadac437c809dce717c0d159cf1e8
- SHA512
  
  cd104a78378581b9e9d9fad9618fe212febf62097cb134cef8b4dbf980065c389e67218ac7c2f78a88aa6eea249a4d0db7651bb9b9db09c29afc248c2c6c94e9
- SSDEEP
  
  12288:6umEhatVMuUcAzRpYooXxSBj3mnkvoBAllR7YMpv3dFcUH:UEKTIpYt03HvomfR7YqtS
Score

10^/10

formbook ga06 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookga06discoveryexecutionratspywarestealertrojan

behavioral2

formbookga06discoveryexecutionratspywarestealertrojan