formbook | c240de1c470b2ba22b8628de9a10b7d81e9f453eb94a46a9d0875f7f1705409c | Triage

Sharing

General

Target

c240de1c470b2ba22b8628de9a10b7d81e9f453eb94a46a9d0875f7f1705409c.exe
Size

650KB
Sample

241127-dg5xbatmdz
MD5

730cde87925272883e738b9eec270c8d
SHA1

4dab428287be9155966e69a8f44fe2001e123df1
SHA256

c240de1c470b2ba22b8628de9a10b7d81e9f453eb94a46a9d0875f7f1705409c
SHA512

10860f548f96cdd2c04ab5a8e5d5cec24b0bd519af3755e7282a0f5e2a4c87cf2e40aa2377080eb995f0f63cae31b1799ac86868bb5c334a86ad55dc1aabb0e1
SSDEEP

12288:1acQD3RbeX8esbnNVZgtW/g6PIlOv7NF8Q+hbncvj4m3XLU4Yrr0r/F:1hQD35eX8DZWOv7NF8Q+Kkm37ht

Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

- Target
  
  c240de1c470b2ba22b8628de9a10b7d81e9f453eb94a46a9d0875f7f1705409c.exe
- Size
  
  650KB
- MD5
  
  730cde87925272883e738b9eec270c8d
- SHA1
  
  4dab428287be9155966e69a8f44fe2001e123df1
- SHA256
  
  c240de1c470b2ba22b8628de9a10b7d81e9f453eb94a46a9d0875f7f1705409c
- SHA512
  
  10860f548f96cdd2c04ab5a8e5d5cec24b0bd519af3755e7282a0f5e2a4c87cf2e40aa2377080eb995f0f63cae31b1799ac86868bb5c334a86ad55dc1aabb0e1
- SSDEEP
  
  12288:1acQD3RbeX8esbnNVZgtW/g6PIlOv7NF8Q+hbncvj4m3XLU4Yrr0r/F:1hQD35eX8DZWOv7NF8Q+Kkm37ht
Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbc01discoveryexecutionratspywarestealertrojan

behavioral2

formbookbc01discoveryexecutionratspywarestealertrojan