formbook | 7179dd3ea3dcfc1521895d39342c1ac03da908b0baaabc358a1caadea9123a95 | Triage

Sharing

General

Target

7179dd3ea3dcfc1521895d39342c1ac03da908b0baaabc358a1caadea9123a95.exe
Size

633KB
Sample

241112-mw8fes1dre
MD5

596c94c19646225e8bb24d7a95cc9537
SHA1

c917031c6b6401080e4d0c8eb08b002608d6d8bb
SHA256

7179dd3ea3dcfc1521895d39342c1ac03da908b0baaabc358a1caadea9123a95
SHA512

b82eeee86ecadf931a627677547a7b76ff67b09483cce3b330447f1595ca9d3e61bbea2ff09e2eb1abab57e74c3d530442f0fdcce051f7faf641ea4d227f9f9a
SSDEEP

12288:PXm0LA8PMyhx7WUh0Mzgn1I9CYeXRU9/YZl/ycoInCRngGo315IeypRxDxD0F:PA877WU3En18CYeXq1KL4nv615Ijo

Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn13

Decoy

5q53s.top

f9813.top

ysticsmoke.net

ignorysingeysquints.cfd

yncsignature.live

svp-their.xyz

outya.xyz

wlkflwef3sf2wf.top

etterjugfetkaril.cfd

p9eh2s99b5.top

400108iqlnnqi219.top

ynsu-condition.xyz

ndividual-bfiaen.xyz

anceibizamagazine.net

itrussips.live

orkcubefood.xyz

lindsandfurnishings.shop

ajwmid.top

pigramescentfeatous.shop

mbvcv56789.click

Targets

- Target
  
  7179dd3ea3dcfc1521895d39342c1ac03da908b0baaabc358a1caadea9123a95.exe
- Size
  
  633KB
- MD5
  
  596c94c19646225e8bb24d7a95cc9537
- SHA1
  
  c917031c6b6401080e4d0c8eb08b002608d6d8bb
- SHA256
  
  7179dd3ea3dcfc1521895d39342c1ac03da908b0baaabc358a1caadea9123a95
- SHA512
  
  b82eeee86ecadf931a627677547a7b76ff67b09483cce3b330447f1595ca9d3e61bbea2ff09e2eb1abab57e74c3d530442f0fdcce051f7faf641ea4d227f9f9a
- SSDEEP
  
  12288:PXm0LA8PMyhx7WUh0Mzgn1I9CYeXRU9/YZl/ycoInCRngGo315IeypRxDxD0F:PA877WU3En18CYeXq1KL4nv615Ijo
Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookdn13discoveryexecutionratspywarestealertrojan

behavioral2

formbookdn13discoveryexecutionratspywarestealertrojan