formbook | 4771d8111d90add383fdb0d0ec8495993fe143b7d5db63104f1d64d82ebf4bd4 | Triage

Sharing

General

Target

4771d8111d90add383fdb0d0ec8495993fe143b7d5db63104f1d64d82ebf4bd4
Size

597KB
Sample

241221-tw392asrhn
MD5

6e26b125b8e47f1860b643dee1491833
SHA1

f62b83b7b0bb240b095f06c0d0ee25a1fad9d865
SHA256

4771d8111d90add383fdb0d0ec8495993fe143b7d5db63104f1d64d82ebf4bd4
SHA512

36af08131fefe1a3006f3cad351dee1d8d0c0853102f3fd5990b4ef67ddd92b0771535f0b49f5b26ea140691785cb0ec4ba8f985f7e04ee7506a3df0ef3d884f
SSDEEP

12288:VnzOif3bs6cLjhNG7YCQ6SRvmDDpAy74U+S7I0EL3K48L3b/x6sOoQsCMSoU3fhI:VzOiJSj3G7w3vmHpHb7ILKhrbJVaMD

Score

10^/10

formbook gs25 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gs25

Decoy

real-food.store

marketdatalibrary.com

jolidens.space

ydental.info

tattoosbyjayinked.com

buytradesellpei.com

61983.xyz

identitysolver.xyz

mgfang.com

teizer.one

staychillax.com

ylanzarote.com

workte.net

maukigato.shop

coolbag.site

btya1r.com

dkhaohao.shop

zugaro.xyz

boon168.com

xn--80aeegahlwtdkp.com

Targets

- Target
  
  ORDEN DE COMPRA.exe
- Size
  
  646KB
- MD5
  
  70bde9fa5edadae3f5297aa0f16400db
- SHA1
  
  2c940e38e28a1b8b4463ba0aec7f43fc0f9f99ac
- SHA256
  
  e4c12ae8b0d5cbc65ece0631c799e6c4129bef10796d6f559865080c2c6684cc
- SHA512
  
  550eb811029da589d7e567eb138df698fb9b35296dce5c40dfb826875418482b309dfbc6c70fcaef5a465011905ac3b9f8290f965c45ae2397068a0878a0c4c2
- SSDEEP
  
  12288:mES23pYuJ9bj2vB68pMOCtcZN7Kz9yPOp7hbjA48D+QmL5iBKOr:3evBDKOCtgBAy8ggiB
Score

10^/10

formbook gs25 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookgs25discoveryexecutionratspywarestealertrojan

behavioral2

formbookgs25discoveryexecutionratspywarestealertrojan