formbook | 24a847e4b33b39bee7a496a1262a167cf5659a2f00c507c9118724bfc7035436 | Triage

Sharing

General

Target

46827077a4c07d354de20e2e85e06d4f.bin
Size

564KB
Sample

241114-blfrwasdnc
MD5

c37ec59997366522dda00dabd95fc56b
SHA1

48a0367b8b89802032e757b0cf29639554ea5fc1
SHA256

24a847e4b33b39bee7a496a1262a167cf5659a2f00c507c9118724bfc7035436
SHA512

4b7c7af54cbc0c8fb568f9d62751ccaf673ac9529c6d1b58df1c6470223486465ff7c89ccc7c8217a32d0aca0c5d004aba819b74ecfd5fe022d8123690be53a3
SSDEEP

12288:4WxvkTd6RnZiMVMkcYiQMC3BSjl5bYZ0wXXGrhCxGQMp:4qvkwnghkcYiCBGpYTOUl8

Score

10^/10

formbook md49 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

md49

Decoy

enithpro.shop

utozeed.agency

ornpicsbd.xyz

82yjj301.top

kphone.online

3ccha73hdl5.shop

seinow.online

usurrofest.info

2ads2s2.top

oritskul.net

etlivecasino.bet

erts.navy

anieubezpieczenia.online

dyhph1020pm.top

paceglide.space

ibmedia.net

arwyking.icu

soriaticarthritis101.today

earopia.shop

gctg2qt4h.top

Targets

- Target
  
  d079862ef124c7736c9321485c30fa19a7c944ac81bc683d123c1aa6c50414a5.exe
- Size
  
  586KB
- MD5
  
  46827077a4c07d354de20e2e85e06d4f
- SHA1
  
  056f6f4f2dc98b4d184408377f91cb4296030245
- SHA256
  
  d079862ef124c7736c9321485c30fa19a7c944ac81bc683d123c1aa6c50414a5
- SHA512
  
  ccd3b5c9acab1024fd0b11876b0716c0839d9e308a9a854ed2b93bb6a22f06efa4826d0d5a4ba23428d12f25290d4fa5bb35992dff6b7b004ba6c1eca91b6a05
- SSDEEP
  
  12288:c0nsD9cyVPu1VOsaA+0/vOamqspcedULkqnb4:vnccydu10BOsp9Zqnb4
Score

10^/10

formbook md49 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookmd49discoveryexecutionratspywarestealertrojan

behavioral2

formbookmd49discoveryexecutionratspywarestealertrojan