formbook | e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633 | Triage

Sharing

General

Target

e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633
Size

731KB
Sample

241114-h5wqrsyrep
MD5

b13f89d8eafc3a90742bb8fe102e4225
SHA1

8c0a430ea82da3282be9c2dc2011c0d1b4a3cc2b
SHA256

e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633
SHA512

85d98bc784bce0cbf5d7264e44b89d1a72c7892aeb9defbe622f7844479d9dcd06d2679e7ec0e2f8691af334dfdbb17540ffb55f24e2f06b8ecb9f53b5f13e13
SSDEEP

12288:53O+0J9NQxftcBfz6wzGxGOuyNwuhzKm+gATKkwpf8Z0l14r7N5:JqJvQxFu76eGEnymcATXwpfGj7N

Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

- Target
  
  e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633
- Size
  
  731KB
- MD5
  
  b13f89d8eafc3a90742bb8fe102e4225
- SHA1
  
  8c0a430ea82da3282be9c2dc2011c0d1b4a3cc2b
- SHA256
  
  e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633
- SHA512
  
  85d98bc784bce0cbf5d7264e44b89d1a72c7892aeb9defbe622f7844479d9dcd06d2679e7ec0e2f8691af334dfdbb17540ffb55f24e2f06b8ecb9f53b5f13e13
- SSDEEP
  
  12288:53O+0J9NQxftcBfz6wzGxGOuyNwuhzKm+gATKkwpf8Z0l14r7N5:JqJvQxFu76eGEnymcATXwpfGj7N
Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbc01discoveryexecutionratspywarestealertrojan

behavioral2

formbookbc01discoveryexecutionratspywarestealertrojan