formbook | d0d2ac5af6ecfdf27de6c45ab86d521294350c5a64942cd15bb5d9a1ae23b0f1 | Triage

Sharing

General

Target

New Order 270125.exe
Size

652KB
Sample

250128-rqs6rs1ncs
MD5

afc33498ec902925b33f3c4f3d721891
SHA1

73cda19a7d80942886ea6e3134cf5e67254aa53d
SHA256

d0d2ac5af6ecfdf27de6c45ab86d521294350c5a64942cd15bb5d9a1ae23b0f1
SHA512

a2790add0dd56c65620254b725116f5c6a298e4458bb85ca3005b4ca4d4eb1dafb24f024ad901000df71fd159d303704e27e502584660dab239df179d8fc861e
SSDEEP

12288:Rpj04iXafESFAKeQyS53EuMDGJDukBO0InmWwJzTnv:biX02834DsrBO05WezL

Score

10^/10

formbook a03d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a03d

Decoy

nfluencer-marketing-13524.bond

cebepu.info

lphatechblog.xyz

haoyun.website

itiz.xyz

orld-visa-center.online

si.art

alata.xyz

mmarketing.xyz

elnqdjc.shop

ensentoto.cloud

voyagu.info

onvert.today

1fuli9902.shop

otelhafnia.info

rumpchiefofstaff.store

urvivalflashlights.shop

0090.pizza

ings-hu-13.today

oliticalpatriot.net

Targets

- Target
  
  New Order 270125.exe
- Size
  
  652KB
- MD5
  
  afc33498ec902925b33f3c4f3d721891
- SHA1
  
  73cda19a7d80942886ea6e3134cf5e67254aa53d
- SHA256
  
  d0d2ac5af6ecfdf27de6c45ab86d521294350c5a64942cd15bb5d9a1ae23b0f1
- SHA512
  
  a2790add0dd56c65620254b725116f5c6a298e4458bb85ca3005b4ca4d4eb1dafb24f024ad901000df71fd159d303704e27e502584660dab239df179d8fc861e
- SSDEEP
  
  12288:Rpj04iXafESFAKeQyS53EuMDGJDukBO0InmWwJzTnv:biX02834DsrBO05WezL
Score

10^/10

formbook a03d discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooka03ddiscoveryexecutionratspywarestealertrojan

behavioral2

formbooka03ddiscoveryexecutionratspywarestealertrojan