formbook | b265f0b8bf110b2d0a0e5e7c244b0a2287b4f222c1c7f6890a8eef9af4da4ffd | Triage

Sharing

General

Target

b265f0b8bf110b2d0a0e5e7c244b0a2287b4f222c1c7f6890a8eef9af4da4ffd.exe
Size

638KB
Sample

250111-fh3vfsxnap
MD5

89b0f3adc6ab1db516dfb6b88b391889
SHA1

8dfb225e396966f5ef1cec4e86e24f063ef2cb8b
SHA256

b265f0b8bf110b2d0a0e5e7c244b0a2287b4f222c1c7f6890a8eef9af4da4ffd
SHA512

d6be55a82e568c5f20b33b205f5e38991d6094fc8b77e27fdfb9df5137b8c3408b8c09d880e2072dabdf537934122839cb85345cb4d53a464aaa67f7275080c9
SSDEEP

12288:oTzatXXkfTlVKJrfkgZyW2gZkg326y5usx+Xt:oTzatXXkfTlV6MgMgdyx

Score

10^/10

formbook bs84 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bs84

Decoy

ehuatang.quest

mart-healthcare.solutions

arehouse-inventory-59593.bond

rumpjokes.net

oonlightshadow.store

odernoob.website

sdmedia.net

0k21l6z.xyz

kwovenart.shop

chvb.bid

06ks28.buzz

grexvc.online

unnycdn02.shop

ettingitgonejunk.net

lubmango.store

ustjump.xyz

ofiveuss.store

aahasti-inter5.rest

etclcg.business

ai365.xyz

Targets

- Target
  
  b265f0b8bf110b2d0a0e5e7c244b0a2287b4f222c1c7f6890a8eef9af4da4ffd.exe
- Size
  
  638KB
- MD5
  
  89b0f3adc6ab1db516dfb6b88b391889
- SHA1
  
  8dfb225e396966f5ef1cec4e86e24f063ef2cb8b
- SHA256
  
  b265f0b8bf110b2d0a0e5e7c244b0a2287b4f222c1c7f6890a8eef9af4da4ffd
- SHA512
  
  d6be55a82e568c5f20b33b205f5e38991d6094fc8b77e27fdfb9df5137b8c3408b8c09d880e2072dabdf537934122839cb85345cb4d53a464aaa67f7275080c9
- SSDEEP
  
  12288:oTzatXXkfTlVKJrfkgZyW2gZkg326y5usx+Xt:oTzatXXkfTlV6MgMgdyx
Score

10^/10

formbook bs84 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbs84discoveryexecutionratspywarestealertrojan

behavioral2

formbookbs84discoveryexecutionratspywarestealertrojan