formbook | b8a517a65d37e87f93f85df0dd0cffa075c49c6d8438e8663ed50e59a4647b5b | Triage

Sharing

General

Target

b8a517a65d37e87f93f85df0dd0cffa075c49c6d8438e8663ed50e59a4647b5b
Size

615KB
Sample

241224-jh8mgssrhm
MD5

0d9add45e650ea3b073f897a94a2dc3c
SHA1

6a3661bfc0795fab2a0764a2388d34c8cdcbea76
SHA256

b8a517a65d37e87f93f85df0dd0cffa075c49c6d8438e8663ed50e59a4647b5b
SHA512

09ea0374eeaaff90056148ac2870fd0ba5eced1677ef9290e82f7467294aa796453a327a4c555c8c051cd944d3c53188a210fd6b4ee06822dedb5e2f76117662
SSDEEP

12288:M3OGNG6J3xNzLxLqBpyc4hJ48AotSlw3Uz8YtZUrhl3oWuvRbf7M:M3v9VWBp94g8JCw3Uz1UToWqR7g

Score

10^/10

formbook k49s discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k49s

Decoy

ufberyrubiest.shop

tpanekatotosite.top

esona805158762.xyz

earing-tests-15487.bond

rediksitiraitoto.xyz

tore-playstore.online

mpresarialpx38.online

ufxusa.net

reativedesigns.lat

leaning-services-47614.bond

959725nptklnq923.top

treziop.xyz

eubel-bestseller.online

uynewcars.xyz

all-panels-74750.bond

erviceninjas.vip

arectoroffice.xyz

oviesgpt.app

ractors-22059.bond

rakenfitness.info

Targets

- Target
  
  new order.exe
- Size
  
  683KB
- MD5
  
  6d7e6654f32d5e775819b21895c968b1
- SHA1
  
  e5c4522e22314b1b34a726bec182201556d95225
- SHA256
  
  792bdecda049100bcddb388c74b9fa5aa21d30a167786f1e5a99091a6e77c430
- SHA512
  
  c4fb5b11eec0fd71ac928ddfddc199d7240e9088f84f519b8f2cda43cffdca0d05e7c29de55e1f63c1548d24797447ad92c8df334a043cb5847e661ea879d2b4
- SSDEEP
  
  12288:q0e4F55OHTDP6ko4H93fe4W5LLqIJnrC7pXvwzzcVh/x2SsbDWb:o4FXOPRve4W5L2I5ruSfMh2Wb
Score

10^/10

formbook k49s discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookk49sdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookk49sdiscoveryexecutionratspywarestealertrojan