formbook | 2efd54686c3942f7778ae4ad63c002e50d1fd2a08fac36ac770dff40cb3e3788 | Triage

Sharing

General

Target

z1____________.exe
Size

676KB
Sample

241120-d22qdsvkhm
MD5

57d485ab07368d3d7fbd1b62b8bb6a5f
SHA1

15749ab51781854689d73a7f7a94d6052546fa9a
SHA256

2efd54686c3942f7778ae4ad63c002e50d1fd2a08fac36ac770dff40cb3e3788
SHA512

7abdbfad7c6ba7956b580c6656d4224ac5023c6df7754a35025bd82b6190f543cd35bf220e3130070799599b10b7b017e2a262d971fab29dd62e2c372a4b6118
SSDEEP

12288:vrOd+Ri3AgFd13C1/CYU0EY5ZLl2YFye+JwP78lprlDfB:tQ3Ag13EKx0BR+2YlppD5

Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn13

Decoy

5q53s.top

f9813.top

ysticsmoke.net

ignorysingeysquints.cfd

yncsignature.live

svp-their.xyz

outya.xyz

wlkflwef3sf2wf.top

etterjugfetkaril.cfd

p9eh2s99b5.top

400108iqlnnqi219.top

ynsu-condition.xyz

ndividual-bfiaen.xyz

anceibizamagazine.net

itrussips.live

orkcubefood.xyz

lindsandfurnishings.shop

ajwmid.top

pigramescentfeatous.shop

mbvcv56789.click

Targets

- Target
  
  z1____________.exe
- Size
  
  676KB
- MD5
  
  57d485ab07368d3d7fbd1b62b8bb6a5f
- SHA1
  
  15749ab51781854689d73a7f7a94d6052546fa9a
- SHA256
  
  2efd54686c3942f7778ae4ad63c002e50d1fd2a08fac36ac770dff40cb3e3788
- SHA512
  
  7abdbfad7c6ba7956b580c6656d4224ac5023c6df7754a35025bd82b6190f543cd35bf220e3130070799599b10b7b017e2a262d971fab29dd62e2c372a4b6118
- SSDEEP
  
  12288:vrOd+Ri3AgFd13C1/CYU0EY5ZLl2YFye+JwP78lprlDfB:tQ3Ag13EKx0BR+2YlppD5
Score

10^/10

discovery execution formbook dn13 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

formbookdn13discoveryexecutionratspywarestealertrojan