formbook | 73c0f45b365444e09376cbea6f71b5f877af98eec65f809a6b078f206a6d4430 | Triage

Sharing

General

Target

73c0f45b365444e09376cbea6f71b5f877af98eec65f809a6b078f206a6d4430.exe
Size

650KB
Sample

250115-da1zsayjcz
MD5

d3b75622f7855cdb9f3eb8deaa37f75b
SHA1

6703d2b4e4f9c32224b9aae4a9c5a96844275de0
SHA256

73c0f45b365444e09376cbea6f71b5f877af98eec65f809a6b078f206a6d4430
SHA512

7e44ef7e8f50073083a161be1c80ffbeae7449273e08e64f0b7069abf8210a7c3d8d26a3164fe7540bb0c8105cf124cf61421c67c1fc68b1bd39a346a000b31c
SSDEEP

12288:+nApngDxqg/9CUfvN7uGDJHD8aHQHtpIKzTHucl7Xbqold4tpMRM:+n2ngcI9TfF7uGpDhHQNWK3VlLd4p

Score

10^/10

formbook a02d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a02d

Decoy

coplus.market

oofing-jobs-74429.bond

healchemists.xyz

oofcarpenternearme-jp.xyz

enewebsolutions.online

harepoint.legal

88977.club

omptables.xyz

eat-pumps-31610.bond

endown.graphics

amsexgirls.website

ovevibes.xyz

u-thiensu.online

yblinds.xyz

rumpchiefofstaff.store

erzog.fun

rrm.lat

agiclime.pro

agaviet59.shop

lbdoanhnhan.net

Targets

- Target
  
  73c0f45b365444e09376cbea6f71b5f877af98eec65f809a6b078f206a6d4430.exe
- Size
  
  650KB
- MD5
  
  d3b75622f7855cdb9f3eb8deaa37f75b
- SHA1
  
  6703d2b4e4f9c32224b9aae4a9c5a96844275de0
- SHA256
  
  73c0f45b365444e09376cbea6f71b5f877af98eec65f809a6b078f206a6d4430
- SHA512
  
  7e44ef7e8f50073083a161be1c80ffbeae7449273e08e64f0b7069abf8210a7c3d8d26a3164fe7540bb0c8105cf124cf61421c67c1fc68b1bd39a346a000b31c
- SSDEEP
  
  12288:+nApngDxqg/9CUfvN7uGDJHD8aHQHtpIKzTHucl7Xbqold4tpMRM:+n2ngcI9TfF7uGpDhHQNWK3VlLd4p
Score

10^/10

formbook a02d discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooka02ddiscoveryexecutionratspywarestealertrojan

behavioral2

formbooka02ddiscoveryexecutionratspywarestealertrojan