formbook | 5ac927c32055134e77b834d05be7c51aacbaeb6e49a0bae44c3c70be070c4131 | Triage

Sharing

General

Target

5ac927c32055134e77b834d05be7c51aacbaeb6e49a0bae44c3c70be070c4131
Size

579KB
Sample

241111-rmg94ayrev
MD5

4de598adbeb255dafe983cee48edc209
SHA1

c171f77fd8e7d91256146db0bf43a88852f4a128
SHA256

5ac927c32055134e77b834d05be7c51aacbaeb6e49a0bae44c3c70be070c4131
SHA512

b5bd43124add99e0dccc565ecd8603e6a93d591472107c62cd8841267f69b873444a409b9103ec7fcdf0a5307daeca4106b2a9033e8ba6dc9ce6c5f0b059b4d9
SSDEEP

12288:5TZtaRpexOmeooh0Mz11U9K6WNvspPYHN/y+qqYnYRoZHG5cgafJb:Na/c4ooJJ1oK6WNUV0vrvooGJb

Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn13

Decoy

5q53s.top

f9813.top

ysticsmoke.net

ignorysingeysquints.cfd

yncsignature.live

svp-their.xyz

outya.xyz

wlkflwef3sf2wf.top

etterjugfetkaril.cfd

p9eh2s99b5.top

400108iqlnnqi219.top

ynsu-condition.xyz

ndividual-bfiaen.xyz

anceibizamagazine.net

itrussips.live

orkcubefood.xyz

lindsandfurnishings.shop

ajwmid.top

pigramescentfeatous.shop

mbvcv56789.click

Targets

- Target
  
  PEDIDO DE COMPRA URGENTE.exe
- Size
  
  633KB
- MD5
  
  8dd4adce71cfa1cd8d33eccf4da34043
- SHA1
  
  2da9f1662d721ee5dd32273b45608078b930ad35
- SHA256
  
  c8709a132b063bfb746899511930b50ee84019dc45206333b74cdf702963a187
- SHA512
  
  35140a18504b50d0119aa67e01dd3db097a24512e1567580ac8640f9fcf2b908eed8374a8b6476bab6ee9170e2fc7a1a2d2d29de3aadf3d16754917d1e365779
- SSDEEP
  
  12288:PXm0LA8PMyhx7WUh0Mzgn1I9CYeXRU9/YZl/ycoInCRngGo315IeypRxDxD0:PA877WU3En18CYeXq1KL4nv615Ij
Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookdn13discoveryexecutionratspywarestealertrojan

behavioral2

formbookdn13discoveryexecutionratspywarestealertrojan