formbook | 792bdecda049100bcddb388c74b9fa5aa21d30a167786f1e5a99091a6e77c430 | Triage

Sharing

General

Target

new order.exe
Size

683KB
Sample

241224-mghlfsvnhp
MD5

6d7e6654f32d5e775819b21895c968b1
SHA1

e5c4522e22314b1b34a726bec182201556d95225
SHA256

792bdecda049100bcddb388c74b9fa5aa21d30a167786f1e5a99091a6e77c430
SHA512

c4fb5b11eec0fd71ac928ddfddc199d7240e9088f84f519b8f2cda43cffdca0d05e7c29de55e1f63c1548d24797447ad92c8df334a043cb5847e661ea879d2b4
SSDEEP

12288:q0e4F55OHTDP6ko4H93fe4W5LLqIJnrC7pXvwzzcVh/x2SsbDWb:o4FXOPRve4W5L2I5ruSfMh2Wb

Score

10^/10

formbook k49s discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k49s

Decoy

ufberyrubiest.shop

tpanekatotosite.top

esona805158762.xyz

earing-tests-15487.bond

rediksitiraitoto.xyz

tore-playstore.online

mpresarialpx38.online

ufxusa.net

reativedesigns.lat

leaning-services-47614.bond

959725nptklnq923.top

treziop.xyz

eubel-bestseller.online

uynewcars.xyz

all-panels-74750.bond

erviceninjas.vip

arectoroffice.xyz

oviesgpt.app

ractors-22059.bond

rakenfitness.info

Targets

- Target
  
  new order.exe
- Size
  
  683KB
- MD5
  
  6d7e6654f32d5e775819b21895c968b1
- SHA1
  
  e5c4522e22314b1b34a726bec182201556d95225
- SHA256
  
  792bdecda049100bcddb388c74b9fa5aa21d30a167786f1e5a99091a6e77c430
- SHA512
  
  c4fb5b11eec0fd71ac928ddfddc199d7240e9088f84f519b8f2cda43cffdca0d05e7c29de55e1f63c1548d24797447ad92c8df334a043cb5847e661ea879d2b4
- SSDEEP
  
  12288:q0e4F55OHTDP6ko4H93fe4W5LLqIJnrC7pXvwzzcVh/x2SsbDWb:o4FXOPRve4W5L2I5ruSfMh2Wb
Score

10^/10

formbook k49s discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookk49sdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookk49sdiscoveryexecutionratspywarestealertrojan