formbook | 5e8cfae8c74f546024e9267537040349b266455f630f0fa756747143efc1083d | Triage

Sharing

General

Target

5e8cfae8c74f546024e9267537040349b266455f630f0fa756747143efc1083dN
Size

582KB
Sample

241010-tw4kssvdnh
MD5

7f5532422bc37e37aacead6b8af7bac0
SHA1

7b38714edc7146fe45ba7dafa0af6136f4c78cfe
SHA256

5e8cfae8c74f546024e9267537040349b266455f630f0fa756747143efc1083d
SHA512

ff0c35e981241f7331c0e8251000f3f11cb908d40732b7acf634bf63a3367330fc3049ce9e45e9523fd4276109a38c2e422e5b8020f3d1b8e4b1d78e28046671
SSDEEP

12288:U5f0fn6Qic+BlHjsZa9c+wHfHuOoGSprhtYU6l+tJz:CbX5LAUM/OJGKqU6l+tl

Score

10^/10

formbook c18x discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c18x

Decoy

naer.top

loominc.club

eslgnpro.shop

rthodontist-53086.bond

hkil-art.online

-health.events

ustommygifts.online

reenscapemedia.online

mcometrade.online

mq8z.christmas

hristophersremodeling.biz

iverpoolvr.info

xlaw.app

heartpa.shop

nbxsbsk.shop

ompany-chargeback.pro

hevikingshucker.net

anaara.net

eadgenrndtbl.net

odagc.info

Targets

- Target
  
  5e8cfae8c74f546024e9267537040349b266455f630f0fa756747143efc1083dN
- Size
  
  582KB
- MD5
  
  7f5532422bc37e37aacead6b8af7bac0
- SHA1
  
  7b38714edc7146fe45ba7dafa0af6136f4c78cfe
- SHA256
  
  5e8cfae8c74f546024e9267537040349b266455f630f0fa756747143efc1083d
- SHA512
  
  ff0c35e981241f7331c0e8251000f3f11cb908d40732b7acf634bf63a3367330fc3049ce9e45e9523fd4276109a38c2e422e5b8020f3d1b8e4b1d78e28046671
- SSDEEP
  
  12288:U5f0fn6Qic+BlHjsZa9c+wHfHuOoGSprhtYU6l+tJz:CbX5LAUM/OJGKqU6l+tl
Score

10^/10

formbook c18x discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookc18xdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookc18xdiscoveryexecutionratspywarestealertrojan