formbook | 44f75d2a856166c782dbcee5839ef36c900e8ef82ad1e9c6d3b40792bddc731e | Triage

Sharing

General

Target

44f75d2a856166c782dbcee5839ef36c900e8ef82ad1e9c6d3b40792bddc731eN
Size

697KB
Sample

241109-q5qhrawakd
MD5

24825bfc3a5271c2ec5c6715cf6f2b80
SHA1

a023d0624490608820f6c9856a7aa8ae7c32666e
SHA256

44f75d2a856166c782dbcee5839ef36c900e8ef82ad1e9c6d3b40792bddc731e
SHA512

051f7a037f32519a758ce08c08f9f7014af5ce01378347b9b9c89eafada5da2b0949f7cfa96e7af84659167d4532275c253a206271cc332c5073037b8013d830
SSDEEP

12288:qlx75hZfmn5+IrAT439F/FNLeJkcMTEuUP6j8qmqyeqgyewovls7+18AY9nSH:k75/f2/A8tBLeJR6EuUlayeqVec7+18O

Score

10^/10

formbook rp26 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rp26

Decoy

rn3grmg9.sbs

4644.one

18tbo.com

c9max.shop

8914.loan

eptacore.xyz

ormto.website

vcreative.store

anglaoshi13.buzz

ewa123.bid

vantiverdeoficial.shop

sik89starwin.fun

niquestorebd.xyz

assword-manager-41452.bond

uccessproit.shop

kl1tuvy0.asia

titchinheavenqs.shop

w178.top

errari-mieten-dubai.click

ba-103mu.net

Targets

- Target
  
  44f75d2a856166c782dbcee5839ef36c900e8ef82ad1e9c6d3b40792bddc731eN
- Size
  
  697KB
- MD5
  
  24825bfc3a5271c2ec5c6715cf6f2b80
- SHA1
  
  a023d0624490608820f6c9856a7aa8ae7c32666e
- SHA256
  
  44f75d2a856166c782dbcee5839ef36c900e8ef82ad1e9c6d3b40792bddc731e
- SHA512
  
  051f7a037f32519a758ce08c08f9f7014af5ce01378347b9b9c89eafada5da2b0949f7cfa96e7af84659167d4532275c253a206271cc332c5073037b8013d830
- SSDEEP
  
  12288:qlx75hZfmn5+IrAT439F/FNLeJkcMTEuUP6j8qmqyeqgyewovls7+18AY9nSH:k75/f2/A8tBLeJR6EuUlayeqVec7+18O
Score

10^/10

discovery execution formbook rp26 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

formbookrp26discoveryexecutionratspywarestealertrojan