formbook | 20973191d7a161b20753a6dfbb0113761bdbfaabece56d6725dd476de4402e77 | Triage

Sharing

General

Target

New Order list.exe
Size

601KB
Sample

241113-q7nf6ssmgy
MD5

054478ec1c85be8ee69f90233bcf496a
SHA1

20c7eacbfdbf82277cae11af7472b907b5188496
SHA256

20973191d7a161b20753a6dfbb0113761bdbfaabece56d6725dd476de4402e77
SHA512

f1f97d639d8c904870e8cce62eb666bdb16621123a98cfbc0694dc4f2882b0f9d5f8d90575af18c0eaabe01be18cd0931338867ff6f58fbc9afcbc13206dffd0
SSDEEP

12288:iMyC+M4oTxGaximtTT20EaF5yIyN+we7WAAS9fFxIw32Q:iMyT7kxf0mtTTKoEIyMFJZFxS

Score

10^/10

formbook md49 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

md49

Decoy

enithpro.shop

utozeed.agency

ornpicsbd.xyz

82yjj301.top

kphone.online

3ccha73hdl5.shop

seinow.online

usurrofest.info

2ads2s2.top

oritskul.net

etlivecasino.bet

erts.navy

anieubezpieczenia.online

dyhph1020pm.top

paceglide.space

ibmedia.net

arwyking.icu

soriaticarthritis101.today

earopia.shop

gctg2qt4h.top

Targets

- Target
  
  New Order list.exe
- Size
  
  601KB
- MD5
  
  054478ec1c85be8ee69f90233bcf496a
- SHA1
  
  20c7eacbfdbf82277cae11af7472b907b5188496
- SHA256
  
  20973191d7a161b20753a6dfbb0113761bdbfaabece56d6725dd476de4402e77
- SHA512
  
  f1f97d639d8c904870e8cce62eb666bdb16621123a98cfbc0694dc4f2882b0f9d5f8d90575af18c0eaabe01be18cd0931338867ff6f58fbc9afcbc13206dffd0
- SSDEEP
  
  12288:iMyC+M4oTxGaximtTT20EaF5yIyN+we7WAAS9fFxIw32Q:iMyT7kxf0mtTTKoEIyMFJZFxS
Score

10^/10

formbook md49 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookmd49discoveryexecutionratspywarestealertrojan

behavioral2

formbookmd49discoveryexecutionratspywarestealertrojan