formbook | f6f8e9f276a4246055e3bdc46ad1276ef453cbf6d6e8affe67127ea0099bece8 | Triage

Sharing

General

Target

f6f8e9f276a4246055e3bdc46ad1276ef453cbf6d6e8affe67127ea0099bece8
Size

692KB
Sample

241203-rcre1sykhy
MD5

6d137688fd296841b3f9e6b5df57a0fe
SHA1

8734f0b46d14f1af7b78d216ec4c120d87b8a636
SHA256

f6f8e9f276a4246055e3bdc46ad1276ef453cbf6d6e8affe67127ea0099bece8
SHA512

dd9706e44a2930959322ad9429fb9155f2b3755c8a1b8d7440e442f754c9082475e096cf4ffc05d039f5c3eff9dca43e2fd826a636d8a46dad61ec049d487439
SSDEEP

12288:fRwEIR4R52J+XtCKSX0YxwIPYRPXrmoEDK1vzXYlznMriukrrZIR:fRwEIeevKA0KwIPYd7mopslBI

Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

- Target
  
  f6f8e9f276a4246055e3bdc46ad1276ef453cbf6d6e8affe67127ea0099bece8
- Size
  
  692KB
- MD5
  
  6d137688fd296841b3f9e6b5df57a0fe
- SHA1
  
  8734f0b46d14f1af7b78d216ec4c120d87b8a636
- SHA256
  
  f6f8e9f276a4246055e3bdc46ad1276ef453cbf6d6e8affe67127ea0099bece8
- SHA512
  
  dd9706e44a2930959322ad9429fb9155f2b3755c8a1b8d7440e442f754c9082475e096cf4ffc05d039f5c3eff9dca43e2fd826a636d8a46dad61ec049d487439
- SSDEEP
  
  12288:fRwEIR4R52J+XtCKSX0YxwIPYRPXrmoEDK1vzXYlznMriukrrZIR:fRwEIeevKA0KwIPYd7mopslBI
Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbc01discoveryexecutionratspywarestealertrojan

behavioral2

formbookbc01discoveryexecutionratspywarestealertrojan