formbook | 4003ba5752bd4c4969c49c34e65f594c8ae977ee7a06fd96681184308b72d3d3 | Triage

Sharing

General

Target

4003ba5752bd4c4969c49c34e65f594c8ae977ee7a06fd96681184308b72d3d3
Size

593KB
Sample

241112-k9mprszbrb
MD5

7dcab0ea73dd5a9a7455ef7c8a4c0d2a
SHA1

bdc449aaca0a43a93417517310178c99ad91642a
SHA256

4003ba5752bd4c4969c49c34e65f594c8ae977ee7a06fd96681184308b72d3d3
SHA512

da4fbd2e58990c6a975c2f1b444d97b0c6cefbd537fcd12b23986b77889cd2a140b3227c9dc267bcfa15c260c9f59c41d059d4d4ee66413ca079582cd8adf5d7
SSDEEP

12288:CSTZZAmKRL8KE9C6wZwedumQCTsE/3vBEHYcr9WW6ivZRfbwscMv6X:1T7T28KE92/dv9/3vixBWW3RV/cMv

Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn13

Decoy

5q53s.top

f9813.top

ysticsmoke.net

ignorysingeysquints.cfd

yncsignature.live

svp-their.xyz

outya.xyz

wlkflwef3sf2wf.top

etterjugfetkaril.cfd

p9eh2s99b5.top

400108iqlnnqi219.top

ynsu-condition.xyz

ndividual-bfiaen.xyz

anceibizamagazine.net

itrussips.live

orkcubefood.xyz

lindsandfurnishings.shop

ajwmid.top

pigramescentfeatous.shop

mbvcv56789.click

Targets

- Target
  
  4003ba5752bd4c4969c49c34e65f594c8ae977ee7a06fd96681184308b72d3d3
- Size
  
  593KB
- MD5
  
  7dcab0ea73dd5a9a7455ef7c8a4c0d2a
- SHA1
  
  bdc449aaca0a43a93417517310178c99ad91642a
- SHA256
  
  4003ba5752bd4c4969c49c34e65f594c8ae977ee7a06fd96681184308b72d3d3
- SHA512
  
  da4fbd2e58990c6a975c2f1b444d97b0c6cefbd537fcd12b23986b77889cd2a140b3227c9dc267bcfa15c260c9f59c41d059d4d4ee66413ca079582cd8adf5d7
- SSDEEP
  
  12288:CSTZZAmKRL8KE9C6wZwedumQCTsE/3vBEHYcr9WW6ivZRfbwscMv6X:1T7T28KE92/dv9/3vixBWW3RV/cMv
Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookdn13discoveryexecutionratspywarestealertrojan

behavioral2

formbookdn13discoveryexecutionratspywarestealertrojan