formbook | 422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf | Triage

Sharing

General

Target

09payment swift copy.exe
Size

678KB
Sample

250120-kbabsazqcx
MD5

9b6ddf7049adfbefacd1dbdfe4350061
SHA1

e9451cd4cae7a1d50ae0cdc17156dc685b5158f7
SHA256

422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf
SHA512

fcf96b148e9a5369a264f138621a67eb8d3c79b3a39587e5b225aad94dd103fa67b9020b7559d41212019b4c168e9dfd7b7633c6e82a8248261cb5d1cccfd5a8
SSDEEP

12288:G59aYwdc1sW7/sVfmPc/VZHkcAG8Vf+0Zhaewy8UQxTJDC38Sy:tYP1L70oc9ZEcA1L6I8UUr

Score

10^/10

formbook a02d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a02d

Decoy

coplus.market

oofing-jobs-74429.bond

healchemists.xyz

oofcarpenternearme-jp.xyz

enewebsolutions.online

harepoint.legal

88977.club

omptables.xyz

eat-pumps-31610.bond

endown.graphics

amsexgirls.website

ovevibes.xyz

u-thiensu.online

yblinds.xyz

rumpchiefofstaff.store

erzog.fun

rrm.lat

agiclime.pro

agaviet59.shop

lbdoanhnhan.net

Targets

- Target
  
  09payment swift copy.exe
- Size
  
  678KB
- MD5
  
  9b6ddf7049adfbefacd1dbdfe4350061
- SHA1
  
  e9451cd4cae7a1d50ae0cdc17156dc685b5158f7
- SHA256
  
  422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf
- SHA512
  
  fcf96b148e9a5369a264f138621a67eb8d3c79b3a39587e5b225aad94dd103fa67b9020b7559d41212019b4c168e9dfd7b7633c6e82a8248261cb5d1cccfd5a8
- SSDEEP
  
  12288:G59aYwdc1sW7/sVfmPc/VZHkcAG8Vf+0Zhaewy8UQxTJDC38Sy:tYP1L70oc9ZEcA1L6I8UUr
Score

10^/10

formbook a02d discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooka02ddiscoveryexecutionratspywarestealertrojan

behavioral2

formbooka02ddiscoveryexecutionratspywarestealertrojan