formbook | 049acba3a651eaee7dafe30127070276b8239482b3729d1b0c59eb18193bb5d2 | Triage

Sharing

General

Target

049acba3a651eaee7dafe30127070276b8239482b3729d1b0c59eb18193bb5d2N
Size

707KB
Sample

241025-zajamavake
MD5

9c5f4ece6d2f16e6cf6696229f1613b0
SHA1

16a9c30a7486e57f9e8645f4d6f23f4abe6662c6
SHA256

049acba3a651eaee7dafe30127070276b8239482b3729d1b0c59eb18193bb5d2
SHA512

8cd2ae7eddfda158b80b2b74163c89b9f54e330250f37a514e1b0000b5bfd6fe8d6989d9e8134692f3f6e44fdd14f8202a60ef23a1873703fabd046184d7422d
SSDEEP

12288:iHuE6zKsTe82yvDST+/SskMDv2AIKwNQKHkFGxeP5IaGxLuyNDe:j7Tl2sRSskbAyNQusG83

Score

10^/10

formbook p25o discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p25o

Decoy

hrist-centered-soulcare.net

pacerpa.shop

hicandcurvy.shop

ocfamilyto.llc

9ds87666.men

sia918ku.shop

nvestment-broker-35141.bond

ltralicencas.shop

g1lmb.cyou

eyo.live

pupt.rest

indsetperfection.net

1duqqrzs65zxz.bond

eren138-pro2.click

leaning-products-35959.bond

oodea.online

hlbadienug.info

innivip.bio

funnygame.top

roperty-in-dubai-f.pro

Targets

- Target
  
  049acba3a651eaee7dafe30127070276b8239482b3729d1b0c59eb18193bb5d2N
- Size
  
  707KB
- MD5
  
  9c5f4ece6d2f16e6cf6696229f1613b0
- SHA1
  
  16a9c30a7486e57f9e8645f4d6f23f4abe6662c6
- SHA256
  
  049acba3a651eaee7dafe30127070276b8239482b3729d1b0c59eb18193bb5d2
- SHA512
  
  8cd2ae7eddfda158b80b2b74163c89b9f54e330250f37a514e1b0000b5bfd6fe8d6989d9e8134692f3f6e44fdd14f8202a60ef23a1873703fabd046184d7422d
- SSDEEP
  
  12288:iHuE6zKsTe82yvDST+/SskMDv2AIKwNQKHkFGxeP5IaGxLuyNDe:j7Tl2sRSskbAyNQusG83
Score

10^/10

formbook p25o discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookp25odiscoveryexecutionratspywarestealertrojan

behavioral2

formbookp25odiscoveryexecutionratspywarestealertrojan