formbook | 9c879cc3fc1fae674781f67f8d12beb21afd8c0deb4587f6766bbcbf48c1b084 | Triage

Resubmissions

14-01-2025 12:44

250114-pyg3csykcw 10

14-01-2025 10:55

250114-m1lr8awnat 10

Sharing

General

Target

9c879cc3fc1fae674781f67f8d12beb21afd8c0deb4587f6766bbcbf48c1b084
Size

589KB
Sample

250114-m1lr8awnat
MD5

d2e61aa15cbe306d3351267e99050f55
SHA1

20eb69a88a8222c43df55e167cbf93ddfe39f198
SHA256

9c879cc3fc1fae674781f67f8d12beb21afd8c0deb4587f6766bbcbf48c1b084
SHA512

4362e47965bb88aed9e16d6739c1c7bfbd9a8426e00bf7ad8c2e6422a4474dfb7857b3c691334cdb4af1f0fc08a1e9af5811c50cd53eab8d2442ab9408b4ddb6
SSDEEP

12288:shErSsKJRSuHr/wC20cxcFi19AvKRVTiu8Htl1qh6B2za4sO6AD+8V:s+r1uHLQG9sinChUkEAS+

Score

10^/10

formbook a01d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Targets

- Target
  
  New purchase order.exe
- Size
  
  650KB
- MD5
  
  1b507df9a13477b647da450a1b79b2e7
- SHA1
  
  b0de85855b3462fe0b37c79831b391eeb044e437
- SHA256
  
  a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91
- SHA512
  
  37dcc8dd92a84009f81ebf394001de49bcf75818227bdbe135578f8f1dc57f4119c4cb6efd91ec70fe12202854ca472ec7435d3c0f713bf770f09967d61fe6a7
- SSDEEP
  
  12288:kYRxA4Y5lyA/BxSPC3NMl2v/wXb5DDH6dcW6f8HtdJqT6B2zJxWVqHU:bRB2XM5UN60STUAJE
Score

10^/10

formbook a01d discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooka01ddiscoveryexecutionratspywarestealertrojan

behavioral2

formbooka01ddiscoveryexecutionratspywarestealertrojan