formbook | 8c3b7bab6d9c32f813aa49cc65578049f516dd8607f6b2b43fd1e696d5b86988 | Triage

Sharing

General

Target

8c3b7bab6d9c32f813aa49cc65578049f516dd8607f6b2b43fd1e696d5b86988.exe
Size

773KB
Sample

250111-evp9fstkav
MD5

fcd48a04f4f33f345261a97b86922349
SHA1

9cb919cacbca53efc79d4c2061f26c503d2927f9
SHA256

8c3b7bab6d9c32f813aa49cc65578049f516dd8607f6b2b43fd1e696d5b86988
SHA512

9b3537b7b73847078d045a0245780cc851cdd772d8f2fb88b95adc523f32d35f33aca8451135a43746d6691edd48bdd7f7f68fb447c401cf1c9f03543b1c905a
SSDEEP

12288:oMqWdd5yerVbCx3YNPvjH63AOFxAFrQJ4E2L/S6bSvTOwyXFQlz:pqWdHrVbCx3YNnja3A6uFO4bZ+iS

Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

- Target
  
  8c3b7bab6d9c32f813aa49cc65578049f516dd8607f6b2b43fd1e696d5b86988.exe
- Size
  
  773KB
- MD5
  
  fcd48a04f4f33f345261a97b86922349
- SHA1
  
  9cb919cacbca53efc79d4c2061f26c503d2927f9
- SHA256
  
  8c3b7bab6d9c32f813aa49cc65578049f516dd8607f6b2b43fd1e696d5b86988
- SHA512
  
  9b3537b7b73847078d045a0245780cc851cdd772d8f2fb88b95adc523f32d35f33aca8451135a43746d6691edd48bdd7f7f68fb447c401cf1c9f03543b1c905a
- SSDEEP
  
  12288:oMqWdd5yerVbCx3YNPvjH63AOFxAFrQJ4E2L/S6bSvTOwyXFQlz:pqWdHrVbCx3YNnja3A6uFO4bZ+iS
Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbc01discoveryexecutionratspywarestealertrojan

behavioral2

formbookbc01discoveryexecutionratspywarestealertrojan