formbook | 9bf5d73a9924bd9e616336e200767e575569869d7d0ab959de9c7ebb37914dfc | Triage

Sharing

General

Target

9bf5d73a9924bd9e616336e200767e575569869d7d0ab959de9c7ebb37914dfc.exe
Size

724KB
Sample

250121-dz43qstpcp
MD5

4325c56733bc218985a5cf909f5bb27f
SHA1

173d8534b685f1eefa9c84df60592404444be599
SHA256

9bf5d73a9924bd9e616336e200767e575569869d7d0ab959de9c7ebb37914dfc
SHA512

f3bc75edaa774abafa14aedbf44c30c450c9dcb92f4c92c73e7e66382222ea5dd04e038056fbfdcb9cc526c61e4f8780f43334e1f3d4f266fb59688e6862985c
SSDEEP

12288:R3ihRSUunFgIOeC9Ujifjqlxr/GH18yhO50gOrCQflaaufB2EL/WFRwqVjlzilN7:dxnFgSQAxKH18j5fiavfJLuFRfYLn

Score

10^/10

formbook 3nop discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

subur88wap.sbs

tyai1.top

skillbeast.site

kcclassiccars.net

lghomes.net

eijanno.cyou

work-in-usa-60100.bond

268chill.store

bharatwin.biz

cakjitu01.xyz

misafert.xyz

hiretemp.net

lvekz-onearmed.top

amanda-manopo.info

seo-companies22.online

casinowalletth.net

maynrson.monster

bewizi.com

thedronetechhub.shop

car-insurance-93947.bond

Targets

- Target
  
  9bf5d73a9924bd9e616336e200767e575569869d7d0ab959de9c7ebb37914dfc.exe
- Size
  
  724KB
- MD5
  
  4325c56733bc218985a5cf909f5bb27f
- SHA1
  
  173d8534b685f1eefa9c84df60592404444be599
- SHA256
  
  9bf5d73a9924bd9e616336e200767e575569869d7d0ab959de9c7ebb37914dfc
- SHA512
  
  f3bc75edaa774abafa14aedbf44c30c450c9dcb92f4c92c73e7e66382222ea5dd04e038056fbfdcb9cc526c61e4f8780f43334e1f3d4f266fb59688e6862985c
- SSDEEP
  
  12288:R3ihRSUunFgIOeC9Ujifjqlxr/GH18yhO50gOrCQflaaufB2EL/WFRwqVjlzilN7:dxnFgSQAxKH18j5fiavfJLuFRfYLn
Score

10^/10

formbook 3nop discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbook3nopdiscoveryexecutionratspywarestealertrojan

behavioral2

formbook3nopdiscoveryexecutionratspywarestealertrojan