formbook | f52a93f8fb6a1b20bd591f6bf9f7d68acfc0e8dd6ea5413faf3619017a3b8166 | Triage

Sharing

General

Target

f52a93f8fb6a1b20bd591f6bf9f7d68acfc0e8dd6ea5413faf3619017a3b8166
Size

717KB
Sample

241130-rxw61a1jbk
MD5

bcd3ac711cdf56e6e03fe256665a0807
SHA1

d325f7f6f59f864e8018bf0ea5151f024362458e
SHA256

f52a93f8fb6a1b20bd591f6bf9f7d68acfc0e8dd6ea5413faf3619017a3b8166
SHA512

45d04f2e2b5aa48e18d9e3c6fd2ff14d7454c4a1bfb53afa91df201fba4417a28ba11a7533f703bc8ee95d2f2d6684881a2705772fc4af836a7c8ce4468c7779
SSDEEP

12288:uRXiB7TNR10CeIv1rtifquSPjeO/8NjwWqz8fBzKk3Wwmo/4Nt/R709qJGfyi8i5:uRXi5JX0Qv1roiF6wWMO94S/w/uobO81

Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn13

Decoy

5q53s.top

f9813.top

ysticsmoke.net

ignorysingeysquints.cfd

yncsignature.live

svp-their.xyz

outya.xyz

wlkflwef3sf2wf.top

etterjugfetkaril.cfd

p9eh2s99b5.top

400108iqlnnqi219.top

ynsu-condition.xyz

ndividual-bfiaen.xyz

anceibizamagazine.net

itrussips.live

orkcubefood.xyz

lindsandfurnishings.shop

ajwmid.top

pigramescentfeatous.shop

mbvcv56789.click

Targets

- Target
  
  f52a93f8fb6a1b20bd591f6bf9f7d68acfc0e8dd6ea5413faf3619017a3b8166
- Size
  
  717KB
- MD5
  
  bcd3ac711cdf56e6e03fe256665a0807
- SHA1
  
  d325f7f6f59f864e8018bf0ea5151f024362458e
- SHA256
  
  f52a93f8fb6a1b20bd591f6bf9f7d68acfc0e8dd6ea5413faf3619017a3b8166
- SHA512
  
  45d04f2e2b5aa48e18d9e3c6fd2ff14d7454c4a1bfb53afa91df201fba4417a28ba11a7533f703bc8ee95d2f2d6684881a2705772fc4af836a7c8ce4468c7779
- SSDEEP
  
  12288:uRXiB7TNR10CeIv1rtifquSPjeO/8NjwWqz8fBzKk3Wwmo/4Nt/R709qJGfyi8i5:uRXi5JX0Qv1roiF6wWMO94S/w/uobO81
Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookdn13discoveryexecutionratspywarestealertrojan

behavioral2

formbookdn13discoveryexecutionratspywarestealertrojan