formbook | 97682dafee4eaeeee854d6a0da31e5f3dbd5922571a608226886af3b8362be6d | Triage

Sharing

General

Target

97682dafee4eaeeee854d6a0da31e5f3dbd5922571a608226886af3b8362be6d
Size

533KB
Sample

241104-rs3g8azras
MD5

2e2083e41c88d9ba9a0d89f29f830b16
SHA1

15f1d7982cb1e4b93484af7ae0d86aa2830d96c6
SHA256

97682dafee4eaeeee854d6a0da31e5f3dbd5922571a608226886af3b8362be6d
SHA512

7c7c7ce36203a30628095d94fdec12831ba9a9124efdab91a4a6d5ad20b2ff519b2fd5717f4b7de9f614a772a8772f89c05f48964d55c898436d357d0b99c8af
SSDEEP

12288:pdQnuO9WpNlAj+IADmsSbKuMQHhD9mDXFpq4JnwcXlpHVtr:fxDpbAjymc7QHJ9aqFcnn

Score

10^/10

formbook d23e discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d23e

Decoy

imziii.com

ramphaithaimassage.co.uk

nightfruit.co.uk

1800romy.com

cristianoinu.com

laliaison.net

basisbola.com

ble.college

glovesnotguns.com

asdhelpdesk.com

formulaalpha3f.com

damlaaltun.com

forginotic.co.uk

car-leasing-54007.com

100kstages.com

ansamistore.com

jobshub.africa

khaf.top

cky11.com

subuwu.com

Targets

- Target
  
  d7fb90a1b438f34eb157d31442167e611c5517027bd52bb2fe9688fa44879757.exe
- Size
  
  604KB
- MD5
  
  d42ee0f99c11295c282ea512163ff60a
- SHA1
  
  e26434374d82c82d72ceaae8a908ea219f7be172
- SHA256
  
  d7fb90a1b438f34eb157d31442167e611c5517027bd52bb2fe9688fa44879757
- SHA512
  
  ab8f7c59af2e9f3db2e4f11ac102e7c9f06821ca836027c027373b713d98fe96c0060f2708099f75a47dea9bb31ee8b512e8ca98ee5ada90b43cf1e08dfbd675
- SSDEEP
  
  12288:4eMCgOi9ZopgBLWv8ZYMTrktgbRfRWFw:QKiXPUvL2rkt3Fw
Score

10^/10

formbook d23e discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookd23ediscoveryexecutionratspywarestealertrojan

behavioral2

formbookd23ediscoveryexecutionratspywarestealertrojan