formbook | 320aa8c92e7c70266b35c8a5fc38ed069d68e6e1403b3ce56bab93fbd349d890 | Triage

Sharing

General

Target

320aa8c92e7c70266b35c8a5fc38ed069d68e6e1403b3ce56bab93fbd349d890.exe
Size

604KB
Sample

241019-bq4phaybph
MD5

7151c1fc12551a189cf6760f2decb54b
SHA1

afff9a2b21ed9934691b71bd3b22f184690ec909
SHA256

320aa8c92e7c70266b35c8a5fc38ed069d68e6e1403b3ce56bab93fbd349d890
SHA512

bd13aa406ec36c4077a730ebe5947027638929874c2bb02cf72f267c7ed7877b309589613d45720bdc4afe68e54a17666f87c11ff719ccc519812224c5869d63
SSDEEP

12288:SczC2XO/ixYJPRtwS5xSeRvIMC6BjxB4KOvriMT3eftntB:e2XO/AcPRWQxFqM5BjIjTOVn

Score

10^/10

formbook cu29 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cu29

Decoy

qidr.shop

usinessaviationconsulting.net

68716329.xyz

nd-los.net

ealthironcladguarantee.shop

oftware-download-69354.bond

48372305.top

omeownershub.top

mall-chilli.top

ajakgoid.online

ire-changer-53482.bond

rugsrx.shop

oyang123.info

azino-forum-pro.online

817715.rest

layman.vip

eb777.club

ovatonica.net

urgaslotvip.website

inn-paaaa.buzz

Targets

- Target
  
  320aa8c92e7c70266b35c8a5fc38ed069d68e6e1403b3ce56bab93fbd349d890.exe
- Size
  
  604KB
- MD5
  
  7151c1fc12551a189cf6760f2decb54b
- SHA1
  
  afff9a2b21ed9934691b71bd3b22f184690ec909
- SHA256
  
  320aa8c92e7c70266b35c8a5fc38ed069d68e6e1403b3ce56bab93fbd349d890
- SHA512
  
  bd13aa406ec36c4077a730ebe5947027638929874c2bb02cf72f267c7ed7877b309589613d45720bdc4afe68e54a17666f87c11ff719ccc519812224c5869d63
- SSDEEP
  
  12288:SczC2XO/ixYJPRtwS5xSeRvIMC6BjxB4KOvriMT3eftntB:e2XO/AcPRWQxFqM5BjIjTOVn
Score

10^/10

formbook cu29 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcu29discoveryexecutionratspywarestealertrojan

behavioral2

formbookcu29discoveryexecutionratspywarestealertrojan