formbook | 7852d1abd54b4575421c9e18e92afa2c16134d665caaded3ec9715471bdcef6f | Triage

Sharing

General

Target

7852d1abd54b4575421c9e18e92afa2c16134d665caaded3ec9715471bdcef6f
Size

768KB
Sample

241112-shffdatphs
MD5

2282695174ed1bae5f1ce3985a257016
SHA1

eb5392928629a94248675bbfbc15e25d962a7368
SHA256

7852d1abd54b4575421c9e18e92afa2c16134d665caaded3ec9715471bdcef6f
SHA512

6c1a0bf9b9d4d20b6cda2b8a80e7182b5808c775e1a11c19bad1c1630d0854afbac517db74faa5322d465f24d5d0f5a8e4ce0690488471660bf23cfad77c1b8f
SSDEEP

12288:VEZMv6eRzvJD77yKC0xejgVCoadbPsrZGGwEcru7uq6vE9xnJ4biHfZI4:iZMvvzf7yduCoa9PsV3wEcru7OcHJkyJ

Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn13

Decoy

5q53s.top

f9813.top

ysticsmoke.net

ignorysingeysquints.cfd

yncsignature.live

svp-their.xyz

outya.xyz

wlkflwef3sf2wf.top

etterjugfetkaril.cfd

p9eh2s99b5.top

400108iqlnnqi219.top

ynsu-condition.xyz

ndividual-bfiaen.xyz

anceibizamagazine.net

itrussips.live

orkcubefood.xyz

lindsandfurnishings.shop

ajwmid.top

pigramescentfeatous.shop

mbvcv56789.click

Targets

- Target
  
  7852d1abd54b4575421c9e18e92afa2c16134d665caaded3ec9715471bdcef6f
- Size
  
  768KB
- MD5
  
  2282695174ed1bae5f1ce3985a257016
- SHA1
  
  eb5392928629a94248675bbfbc15e25d962a7368
- SHA256
  
  7852d1abd54b4575421c9e18e92afa2c16134d665caaded3ec9715471bdcef6f
- SHA512
  
  6c1a0bf9b9d4d20b6cda2b8a80e7182b5808c775e1a11c19bad1c1630d0854afbac517db74faa5322d465f24d5d0f5a8e4ce0690488471660bf23cfad77c1b8f
- SSDEEP
  
  12288:VEZMv6eRzvJD77yKC0xejgVCoadbPsrZGGwEcru7uq6vE9xnJ4biHfZI4:iZMvvzf7yduCoa9PsV3wEcru7OcHJkyJ
Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookdn13discoveryexecutionratspywarestealertrojan

behavioral2

formbookdn13discoveryexecutionratspywarestealertrojan