formbook | bcbf9e27c214b03f42f5ea84183f8fb0466a000d6dcf664cf4efcef7648e8a72 | Triage

Sharing

General

Target

bcbf9e27c214b03f42f5ea84183f8fb0466a000d6dcf664cf4efcef7648e8a72
Size

542KB
Sample

241110-xfn2ysserj
MD5

fd70754729d3d4cfdc63202946597082
SHA1

f1748e65b5350c2e3758e3c7700667f5929a6dbd
SHA256

bcbf9e27c214b03f42f5ea84183f8fb0466a000d6dcf664cf4efcef7648e8a72
SHA512

c85c52e1d83b11b7f83046d0a2ad85e51f5b8d2af9fd327b511e717370782e48d039725a6f981ac814e2198c27fb5758c14e261d4b8316848bf03ef8a0997a8c
SSDEEP

12288:RgiFRFIrppK8eSwXfnxGuQPyAKLZ28pu8DTpSriHjcJmjoc:RgiFRm68eSwXTQPyAoxuFuoJUoc

Score

10^/10

formbook ce18 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ce18

Decoy

kenfinnegan.com

exopestireland.com

allthingzbeautiellc.com

attractiveidiot.com

calmsealight.com

ectobyte.com

8rr.xyz

hcmajq.info

alisongraceventures.com

jamtanganbagus.online

forexpropfirmmastery.com

coupimmobilier.com

amarisetechnologies.com

countrykidsclothing.com

eyecatcher.tech

merxip.online

fiteallc.com

themensroombarber.co.uk

seroofingtelford.co.uk

birdie786.com

Targets

- Target
  
  2069c3254c5a28daea136f39db600c179ba421e70f71cdd5765575012eb42d42.exe
- Size
  
  644KB
- MD5
  
  6f845ee182e5a20dee93f871cab2a266
- SHA1
  
  31727f824de2990c70c664a9fc9e426110bb55c6
- SHA256
  
  2069c3254c5a28daea136f39db600c179ba421e70f71cdd5765575012eb42d42
- SHA512
  
  43181f79394b016849f1ae2d1cb20e3c646a3fbb64bdb6ddc141056c1f8c9584feefa5b454a0d422eff5f9bc813f40267071a429411efe6b6f0176bde94ff7a1
- SSDEEP
  
  12288:Ui0HRS/CwJlsNU5LoPzwGNFATXfnBbesGfORAsdH2Q:V0k6wg7PAjAWTt2
Score

10^/10

formbook ce18 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookce18discoveryexecutionratspywarestealertrojan

behavioral2

formbookce18discoveryexecutionratspywarestealertrojan