formbook | 03fa43931af3b6313fdba4fddae1924a85fbf0345fbf238f73d9ddc282598fe0 | Triage

Sharing

General

Target

03fa43931af3b6313fdba4fddae1924a85fbf0345fbf238f73d9ddc282598fe0.exe
Size

454KB
Sample

241122-lek35ayjet
MD5

32ecacb78c39219a4aad99e0849541ca
SHA1

8f1b2f77412bdeb16f9d58bea70dd52610cfc179
SHA256

03fa43931af3b6313fdba4fddae1924a85fbf0345fbf238f73d9ddc282598fe0
SHA512

392879431476b4b095514ed8a4f4536cd84ee47cd09e4cb8d81d59920dbc30cb737834caa5ed9762dfc874a07efd40a25a41da15c23369c5de04d80d2cc26a30
SSDEEP

6144:RT6Uqd2GhN5TebaT+hbE8BuXQ7NwHeOwvGOYLtXy00ynAWGyAu4mpwcFCLFjuShO:RmUi2iNtwBE0YOYLt7WDuZmo4juCueW9

Score

10^/10

formbook u1bs discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u1bs

Decoy

ln-safe-keepingmisva4.xyz

rtfh.xyz

awolin.link

metadlf.com

cardboardcasual.com

psicoterapiahablada.com

spaminator.xyz

hnjqzl.top

dentalyinovasi.site

biosynblas.com

zvyk.store

shreevishwakarmaservices.com

showersplash.com

norbert-roth.com

londoncapitaltraders.com

istanbuldonerkebabheroncity.com

realdiscountsnow.com

marlinplumbingwnc.com

magazinadziavane.com

qantv.com

Targets

- Target
  
  03fa43931af3b6313fdba4fddae1924a85fbf0345fbf238f73d9ddc282598fe0.exe
- Size
  
  454KB
- MD5
  
  32ecacb78c39219a4aad99e0849541ca
- SHA1
  
  8f1b2f77412bdeb16f9d58bea70dd52610cfc179
- SHA256
  
  03fa43931af3b6313fdba4fddae1924a85fbf0345fbf238f73d9ddc282598fe0
- SHA512
  
  392879431476b4b095514ed8a4f4536cd84ee47cd09e4cb8d81d59920dbc30cb737834caa5ed9762dfc874a07efd40a25a41da15c23369c5de04d80d2cc26a30
- SSDEEP
  
  6144:RT6Uqd2GhN5TebaT+hbE8BuXQ7NwHeOwvGOYLtXy00ynAWGyAu4mpwcFCLFjuShO:RmUi2iNtwBE0YOYLt7WDuZmo4juCueW9
Score

10^/10

formbook u1bs discovery rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooku1bsdiscoveryratspywarestealertrojan

behavioral2

formbooku1bsdiscoveryratspywarestealertrojan