formbook | 86983eeb3231d8cc4eddbdec4b8b19194410f6adbee3265bbe68cd4a1ddcd161 | Triage

Sharing

General

Target

86983eeb3231d8cc4eddbdec4b8b19194410f6adbee3265bbe68cd4a1ddcd161.exe
Size

870KB
Sample

241204-ddc25atlhj
MD5

601b0892a95e423fa9e9ab2d95ce1085
SHA1

071f413d4af58e9db3f78a47033c36156f4c60ab
SHA256

86983eeb3231d8cc4eddbdec4b8b19194410f6adbee3265bbe68cd4a1ddcd161
SHA512

aa049f6350ef62e3d1539f5f4632b851c27acf188ec8557b2ed96282a94207cae8ba68986900b4fccd29d5987112e1f57f2ec91bbf5993a30747b0a7b17ebb8b
SSDEEP

12288:976/k8LlJL7kajr+olWltWKWkfLtJz9ermpg9A+g1x2lQe2es+HMLInIckR:iLfLjr+7f7WUjTpgeB32utMIr

Score

10^/10

formbook p25o discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p25o

Decoy

hrist-centered-soulcare.net

pacerpa.shop

hicandcurvy.shop

ocfamilyto.llc

9ds87666.men

sia918ku.shop

nvestment-broker-35141.bond

ltralicencas.shop

g1lmb.cyou

eyo.live

pupt.rest

indsetperfection.net

1duqqrzs65zxz.bond

eren138-pro2.click

leaning-products-35959.bond

oodea.online

hlbadienug.info

innivip.bio

funnygame.top

roperty-in-dubai-f.pro

Targets

- Target
  
  86983eeb3231d8cc4eddbdec4b8b19194410f6adbee3265bbe68cd4a1ddcd161.exe
- Size
  
  870KB
- MD5
  
  601b0892a95e423fa9e9ab2d95ce1085
- SHA1
  
  071f413d4af58e9db3f78a47033c36156f4c60ab
- SHA256
  
  86983eeb3231d8cc4eddbdec4b8b19194410f6adbee3265bbe68cd4a1ddcd161
- SHA512
  
  aa049f6350ef62e3d1539f5f4632b851c27acf188ec8557b2ed96282a94207cae8ba68986900b4fccd29d5987112e1f57f2ec91bbf5993a30747b0a7b17ebb8b
- SSDEEP
  
  12288:976/k8LlJL7kajr+olWltWKWkfLtJz9ermpg9A+g1x2lQe2es+HMLInIckR:iLfLjr+7f7WUjTpgeB32utMIr
Score

10^/10

formbook p25o discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookp25odiscoveryexecutionratspywarestealertrojan

behavioral2

formbookp25odiscoveryexecutionratspywarestealertrojan