formbook | b75d75951baa30cbca6f8a7390b0c8baa70094457c57fe154bad5c7a6c702b6b | Triage

Sharing

General

Target

b75d75951baa30cbca6f8a7390b0c8baa70094457c57fe154bad5c7a6c702b6b.zip
Size

615KB
Sample

250117-g7pvkawkdk
MD5

83ec4ec5214855e8c2032fff6312bb93
SHA1

0d27eef177134c51aae42f6d875f454ed124a6c8
SHA256

b75d75951baa30cbca6f8a7390b0c8baa70094457c57fe154bad5c7a6c702b6b
SHA512

cbf9cb9fa943cdd614aad1cdbb8a5065f766ecc0d4227405ded0549b766af89c91a12d62094eaa85fcd8e643b8582913116beb6ad40701f439016c76103a9bb3
SSDEEP

12288:N2OScgVaewwS20dH2P2k6xKMMMBh+W9LbDOU:FbgVaVF2YQuK3ILDOU

Score

10^/10

formbook a01d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Targets

- Target
  
  Payment details.exe
- Size
  
  720KB
- MD5
  
  7b0fe6381be15f90bf9cd16adc67e332
- SHA1
  
  11ea9024f45bbd7a37791e9f23ee96de23655cd3
- SHA256
  
  0198cc6636a1c05da00eb7457f498c6e1743fe0a9e3d50fc106621f862bf04dd
- SHA512
  
  5fba23ff4057550e94974b0a995c07d1093ba91ba53abbee940c6af1e8e2d31858d85e7baf2d830e44859aaaa900d4c91246d2c3d5f553b3c41dbf5545428221
- SSDEEP
  
  12288:+8lWXV7OuHmoCdeRMBvhTb/EEK1KUMsFP+WZWM7vop:WObyMBRz21K/waM7vg
Score

10^/10

formbook a01d discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooka01ddiscoveryexecutionratspywarestealertrojan

behavioral2

formbooka01ddiscoveryexecutionratspywarestealertrojan