formbook | b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618 | Triage

Sharing

General

Target

b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe
Size

550KB
Sample

241205-cqbt6atkbt
MD5

304ae39e62244a946e1cef21393fe3b7
SHA1

6157b6191e3df5d1a01776cadd0e3988e7597bc8
SHA256

b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618
SHA512

8d765cc52575334ecf36256eb8ce0c6a2061b43b0d959888542111859b864cbe4227fdbb567a5db881fc97b1e19999e0c57b3b4cd875eea9264ea4715a2234ed
SSDEEP

12288:5MUgm/3dE/fGiCNGiTVTsdrE0V92fO/lk9onzNXxn2ive:5M2//iCRSdrZV92f79onzNXEive

Score

10^/10

formbook giok discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

giok

Decoy

royaltysplit.xyz

home-remodeling-32327.bond

ocosoap.download

mx51pbk5z3.top

sapidermen154.buzz

always23082025.info

jencodiahcp.net

psychologist-therapy-13104.bond

okigoods.online

posedon.online

ryclegalpartners.info

seek-zapatosenlinea-cl.info

xataa.info

vitalityyvault.online

hallice732.xyz

snspleak.info

ilbrentdigitalx.info

breast-implants-17988.bond

subedisaurav.site

instamoney.website

Targets

- Target
  
  b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe
- Size
  
  550KB
- MD5
  
  304ae39e62244a946e1cef21393fe3b7
- SHA1
  
  6157b6191e3df5d1a01776cadd0e3988e7597bc8
- SHA256
  
  b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618
- SHA512
  
  8d765cc52575334ecf36256eb8ce0c6a2061b43b0d959888542111859b864cbe4227fdbb567a5db881fc97b1e19999e0c57b3b4cd875eea9264ea4715a2234ed
- SSDEEP
  
  12288:5MUgm/3dE/fGiCNGiTVTsdrE0V92fO/lk9onzNXxn2ive:5M2//iCRSdrZV92f79onzNXEive
Score

10^/10

formbook giok discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookgiokdiscoverypersistenceratspywarestealertrojan

behavioral2

formbookgiokratspywarestealertrojan