formbook | ec40bd9352347399d79a1393ee4478d945b81a0c5555a8d30bf043afb1e70e93 | Triage

Sharing

General

Target

ec40bd9352347399d79a1393ee4478d945b81a0c5555a8d30bf043afb1e70e93.exe
Size

554KB
Sample

241205-traf6asjgx
MD5

d27430fd2be189b951dde1a9d2d9da9b
SHA1

3d357a23ca8fdf456e2759e895cefe823eb1acc7
SHA256

ec40bd9352347399d79a1393ee4478d945b81a0c5555a8d30bf043afb1e70e93
SHA512

543727835fcd1bf6e1a70372dd79c654dbe35a0aefc8b0e25dce7d2dfd8d524d6089c0f891a09a0451d3bc973de23baa7471a15d4b01b8ad423a162e1529d8ae
SSDEEP

12288:RMUSpoD2yYPWsb+5yRq5jDVJMWNfLBfmedCcI1sxJiyhhL:RCpo2ZWsbrQjDLT5dmedCyT

Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

- Target
  
  ec40bd9352347399d79a1393ee4478d945b81a0c5555a8d30bf043afb1e70e93.exe
- Size
  
  554KB
- MD5
  
  d27430fd2be189b951dde1a9d2d9da9b
- SHA1
  
  3d357a23ca8fdf456e2759e895cefe823eb1acc7
- SHA256
  
  ec40bd9352347399d79a1393ee4478d945b81a0c5555a8d30bf043afb1e70e93
- SHA512
  
  543727835fcd1bf6e1a70372dd79c654dbe35a0aefc8b0e25dce7d2dfd8d524d6089c0f891a09a0451d3bc973de23baa7471a15d4b01b8ad423a162e1529d8ae
- SSDEEP
  
  12288:RMUSpoD2yYPWsb+5yRq5jDVJMWNfLBfmedCcI1sxJiyhhL:RCpo2ZWsbrQjDLT5dmedCyT
Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbc01discoveryexecutionratspywarestealertrojan

behavioral2

formbookbc01discoveryexecutionratspywarestealertrojan