formbook | 6968d52cfb23011d71a62b5b5f7a58f98bf287503af1dbb9d13d21998d1de6ed | Triage

Sharing

General

Target

6968d52cfb23011d71a62b5b5f7a58f98bf287503af1dbb9d13d21998d1de6ed.exe
Size

592KB
Sample

241119-fb3acavqgr
MD5

d039f15f77ad696715f197d12827318c
SHA1

ce786e2ba65755901c732205cf1cc704a579f199
SHA256

6968d52cfb23011d71a62b5b5f7a58f98bf287503af1dbb9d13d21998d1de6ed
SHA512

3e7d8bfb67bddf47d7425253362618c3ffa5767aaf7cce0f843c011746f338cbd30026c6da10617dccdb8cf7e2088cf56b1ccaa69c1e6ac8df538ff1614ca112
SSDEEP

12288:YhL/s0ypqDDF+3e+l96i0rvr7ipmcy901IeevWYBj74E0kk2evMY6:yWqvE3ZlIrvrQy+IRJkEe36

Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn13

Decoy

5q53s.top

f9813.top

ysticsmoke.net

ignorysingeysquints.cfd

yncsignature.live

svp-their.xyz

outya.xyz

wlkflwef3sf2wf.top

etterjugfetkaril.cfd

p9eh2s99b5.top

400108iqlnnqi219.top

ynsu-condition.xyz

ndividual-bfiaen.xyz

anceibizamagazine.net

itrussips.live

orkcubefood.xyz

lindsandfurnishings.shop

ajwmid.top

pigramescentfeatous.shop

mbvcv56789.click

Targets

- Target
  
  6968d52cfb23011d71a62b5b5f7a58f98bf287503af1dbb9d13d21998d1de6ed.exe
- Size
  
  592KB
- MD5
  
  d039f15f77ad696715f197d12827318c
- SHA1
  
  ce786e2ba65755901c732205cf1cc704a579f199
- SHA256
  
  6968d52cfb23011d71a62b5b5f7a58f98bf287503af1dbb9d13d21998d1de6ed
- SHA512
  
  3e7d8bfb67bddf47d7425253362618c3ffa5767aaf7cce0f843c011746f338cbd30026c6da10617dccdb8cf7e2088cf56b1ccaa69c1e6ac8df538ff1614ca112
- SSDEEP
  
  12288:YhL/s0ypqDDF+3e+l96i0rvr7ipmcy901IeevWYBj74E0kk2evMY6:yWqvE3ZlIrvrQy+IRJkEe36
Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookdn13discoveryexecutionratspywarestealertrojan

behavioral2

formbookdn13discoveryexecutionratspywarestealertrojan