formbook | 6f3d1b553efdcf03ca4575b2c6afa39cd845bb306adcd6e876864321e7e74a5b | Triage

Sharing

General

Target

5c7908f7626c74e9233895e903b7de4a.exe
Size

660KB
Sample

250115-qwzp3atqd1
MD5

5c7908f7626c74e9233895e903b7de4a
SHA1

91275d7d5ba3a296323bb6fb963a8aa798808eda
SHA256

6f3d1b553efdcf03ca4575b2c6afa39cd845bb306adcd6e876864321e7e74a5b
SHA512

90af34c75533f74e0a81880e00ed5fae69ce1cc650bb54c35d244c38dd3b6e3db62b8a752cc81a681898a04771dbbde0116b346f3c6bbb6c26253187105ef55f
SSDEEP

12288:vnYRxA4Y5lyA/BxSPCmPX50CO5jlvHLULZlxqaaA6b4e9O5fYYD6/IhU3A5JU3IY:QR5v565jJrUPxBb9h5QYDMIhSmAZJ

Score

10^/10

formbook kmge discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

i54ly657ur.autos

stove-10000.bond

furkanenes.live

foziaclothing.shop

peron.app

landscaping-services-88568.bond

home-remodeling-96005.bond

offersnow-store.shop

apsida.tech

ux-design-courses-90368.bond

nb-event-b2b.online

2tdb3dk65m.skin

juniper.fit

eurosirel.info

web-cfe.one

a48268104.top

darkoxygen.info

beautysideup.shop

solar-battery-34557.bond

dib57.top

Targets

- Target
  
  5c7908f7626c74e9233895e903b7de4a.exe
- Size
  
  660KB
- MD5
  
  5c7908f7626c74e9233895e903b7de4a
- SHA1
  
  91275d7d5ba3a296323bb6fb963a8aa798808eda
- SHA256
  
  6f3d1b553efdcf03ca4575b2c6afa39cd845bb306adcd6e876864321e7e74a5b
- SHA512
  
  90af34c75533f74e0a81880e00ed5fae69ce1cc650bb54c35d244c38dd3b6e3db62b8a752cc81a681898a04771dbbde0116b346f3c6bbb6c26253187105ef55f
- SSDEEP
  
  12288:vnYRxA4Y5lyA/BxSPCmPX50CO5jlvHLULZlxqaaA6b4e9O5fYYD6/IhU3A5JU3IY:QR5v565jJrUPxBb9h5QYDMIhSmAZJ
Score

10^/10

formbook kmge discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookkmgediscoveryexecutionratspywarestealertrojan

behavioral2

formbookkmgediscoveryexecutionratspywarestealertrojan