formbook | 2040a0fdd0eddf11176cddce8489b0906e9bb6ed39b2c825f883e26a3309db57 | Triage

Sharing

General

Target

890983726372673.exe
Size

722KB
Sample

250120-rgn6fssrel
MD5

0c883414fcda149f14bfe37c2bd9fc79
SHA1

cf99ca86cfac68a7414ce261bdbc04263de1ee77
SHA256

2040a0fdd0eddf11176cddce8489b0906e9bb6ed39b2c825f883e26a3309db57
SHA512

2cdce3e4094cd4c72d3f4618fdcbaac2548bbddb4b4471d7f3838817913574a8b63b890be5a1ed8ce0a244fe24114d6cc25004dcd6be8ae62c0703b7e1815067
SSDEEP

12288:ZSihRSUunB2fP+rnhBR44lSQ5XUIT7sLzm1BHS/YlJ/GOX89rUU0+KlQlNLn:0xnumz1UITez4BlR7XQ59KaHLn

Score

10^/10

formbook 3nop discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

subur88wap.sbs

tyai1.top

skillbeast.site

kcclassiccars.net

lghomes.net

eijanno.cyou

work-in-usa-60100.bond

268chill.store

bharatwin.biz

cakjitu01.xyz

misafert.xyz

hiretemp.net

lvekz-onearmed.top

amanda-manopo.info

seo-companies22.online

casinowalletth.net

maynrson.monster

bewizi.com

thedronetechhub.shop

car-insurance-93947.bond

Targets

- Target
  
  890983726372673.exe
- Size
  
  722KB
- MD5
  
  0c883414fcda149f14bfe37c2bd9fc79
- SHA1
  
  cf99ca86cfac68a7414ce261bdbc04263de1ee77
- SHA256
  
  2040a0fdd0eddf11176cddce8489b0906e9bb6ed39b2c825f883e26a3309db57
- SHA512
  
  2cdce3e4094cd4c72d3f4618fdcbaac2548bbddb4b4471d7f3838817913574a8b63b890be5a1ed8ce0a244fe24114d6cc25004dcd6be8ae62c0703b7e1815067
- SSDEEP
  
  12288:ZSihRSUunB2fP+rnhBR44lSQ5XUIT7sLzm1BHS/YlJ/GOX89rUU0+KlQlNLn:0xnumz1UITez4BlR7XQ59KaHLn
Score

10^/10

formbook 3nop discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbook3nopdiscoveryexecutionratspywarestealertrojan

behavioral2

formbook3nopdiscoveryexecutionratspywarestealertrojan