formbook | 83ce77985bd0799406f31944c4c794d3a5ae598c6ef4d9a491036f6bb0189976 | Triage

Sharing

General

Target

83ce77985bd0799406f31944c4c794d3a5ae598c6ef4d9a491036f6bb0189976N.exe
Size

601KB
Sample

241116-adedeawaqr
MD5

08e3110de62690a682f85795e5fd4010
SHA1

afa24d6e66239e6a0d3fcda5d33645b3af12bbbb
SHA256

83ce77985bd0799406f31944c4c794d3a5ae598c6ef4d9a491036f6bb0189976
SHA512

d98143450067dd6fe5b752b53855d4ad52ca8e87a5776966103eae0fe92f7f6a6ed621dd1f831835804570204386808c1a22586091521e030637531f9c6458f2
SSDEEP

12288:wMyC2sShGwjlun4PVoqa5lUrZUZzQn0azM/iRTp7jDjfhv6SDT:wMy9BGilFP6qKlUreundeiL7fgSv

Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

- Target
  
  83ce77985bd0799406f31944c4c794d3a5ae598c6ef4d9a491036f6bb0189976N.exe
- Size
  
  601KB
- MD5
  
  08e3110de62690a682f85795e5fd4010
- SHA1
  
  afa24d6e66239e6a0d3fcda5d33645b3af12bbbb
- SHA256
  
  83ce77985bd0799406f31944c4c794d3a5ae598c6ef4d9a491036f6bb0189976
- SHA512
  
  d98143450067dd6fe5b752b53855d4ad52ca8e87a5776966103eae0fe92f7f6a6ed621dd1f831835804570204386808c1a22586091521e030637531f9c6458f2
- SSDEEP
  
  12288:wMyC2sShGwjlun4PVoqa5lUrZUZzQn0azM/iRTp7jDjfhv6SDT:wMy9BGilFP6qKlUreundeiL7fgSv
Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbc01discoveryexecutionratspywarestealertrojan

behavioral2

formbookbc01discoveryexecutionratspywarestealertrojan