formbook | 090ae9dc91f1165ca92841d7e3485580caa257c2848fed356d78c86e3d72f50b | Triage

Sharing

General

Target

090ae9dc91f1165ca92841d7e3485580caa257c2848fed356d78c86e3d72f50b.exe
Size

639KB
Sample

241203-chr66szpcl
MD5

e27f170a2b309a75d310bba9c485e577
SHA1

03dc059118d1e104887b8e671abb664fe5dcf7a9
SHA256

090ae9dc91f1165ca92841d7e3485580caa257c2848fed356d78c86e3d72f50b
SHA512

46e7cec41a142247a49fd4229f41437dd6ee41e614965cb89890ed2207c8c3c167eb02477c5a106cb3a66f9417e7dad3b9f486c7bbbba4e671171cc724c5dc2d
SSDEEP

12288:yj7xmnHBZEw1CidpPDykBgh9IGqQmmgZd+PASRoWzKgPdf5usx+Xt:27xckw1XpLO+LQk8ASRoWz1px

Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

- Target
  
  090ae9dc91f1165ca92841d7e3485580caa257c2848fed356d78c86e3d72f50b.exe
- Size
  
  639KB
- MD5
  
  e27f170a2b309a75d310bba9c485e577
- SHA1
  
  03dc059118d1e104887b8e671abb664fe5dcf7a9
- SHA256
  
  090ae9dc91f1165ca92841d7e3485580caa257c2848fed356d78c86e3d72f50b
- SHA512
  
  46e7cec41a142247a49fd4229f41437dd6ee41e614965cb89890ed2207c8c3c167eb02477c5a106cb3a66f9417e7dad3b9f486c7bbbba4e671171cc724c5dc2d
- SSDEEP
  
  12288:yj7xmnHBZEw1CidpPDykBgh9IGqQmmgZd+PASRoWzKgPdf5usx+Xt:27xckw1XpLO+LQk8ASRoWz1px
Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbc01discoveryexecutionratspywarestealertrojan

behavioral2

formbookbc01discoveryexecutionratspywarestealertrojan