formbook | a2c0537782a8c28077337a873813db9211330a95725e641db956183db3252241 | Triage

Sharing

General

Target

a2c0537782a8c28077337a873813db9211330a95725e641db956183db3252241
Size

851KB
Sample

241107-t8qjpsylbj
MD5

315b8465e215b51916f253c741a98db8
SHA1

5e39e3d2b9a9445e352758f83282175f2636fa70
SHA256

a2c0537782a8c28077337a873813db9211330a95725e641db956183db3252241
SHA512

ca8590ef803c0fdebf9527b309fc4a3464ab5a7241d7b6b4eea763308d8563d380ad556a49f8b09b335f9a7fef494543f5cfeab965abb5dcef062fb8c0a42c76
SSDEEP

12288:jTfWpmLKE2pb57IG9Kd962BfCqfqyI9jADIsLINHn0J7pCIhdDZcCdAtBXVb:jV2t5sG9s968EpjADIsyn0JVpDmtBX5

Score

10^/10

formbook rp26 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rp26

Decoy

rn3grmg9.sbs

4644.one

18tbo.com

c9max.shop

8914.loan

eptacore.xyz

ormto.website

vcreative.store

anglaoshi13.buzz

ewa123.bid

vantiverdeoficial.shop

sik89starwin.fun

niquestorebd.xyz

assword-manager-41452.bond

uccessproit.shop

kl1tuvy0.asia

titchinheavenqs.shop

w178.top

errari-mieten-dubai.click

ba-103mu.net

Targets

- Target
  
  a2c0537782a8c28077337a873813db9211330a95725e641db956183db3252241
- Size
  
  851KB
- MD5
  
  315b8465e215b51916f253c741a98db8
- SHA1
  
  5e39e3d2b9a9445e352758f83282175f2636fa70
- SHA256
  
  a2c0537782a8c28077337a873813db9211330a95725e641db956183db3252241
- SHA512
  
  ca8590ef803c0fdebf9527b309fc4a3464ab5a7241d7b6b4eea763308d8563d380ad556a49f8b09b335f9a7fef494543f5cfeab965abb5dcef062fb8c0a42c76
- SSDEEP
  
  12288:jTfWpmLKE2pb57IG9Kd962BfCqfqyI9jADIsLINHn0J7pCIhdDZcCdAtBXVb:jV2t5sG9s968EpjADIsyn0JVpDmtBX5
Score

10^/10

formbook rp26 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookrp26discoveryexecutionratspywarestealertrojan

behavioral2

formbookrp26discoveryexecutionratspywarestealertrojan