formbook | fa3e852fa9dde2dde0c1e2254f81059f8c2f1088596e0fb9aa2e37583c26ead5 | Triage

Sharing

General

Target

z57novaordempdf.exe
Size

831KB
Sample

250130-nmpgma1rcl
MD5

1389296f0946aea604c44a973f58f8c2
SHA1

9cba48137f602affcb479dad998a47b0ae0ff6b2
SHA256

fa3e852fa9dde2dde0c1e2254f81059f8c2f1088596e0fb9aa2e37583c26ead5
SHA512

62e60fd761804bbec0aa8be992b16d8cb1fd052ade0f877cf89f9ea4372f3768742957ab3fc84302a16039708738c4074e2f43972a048ff1d73d15cc33e8019f
SSDEEP

12288:UOUM8HrDxIVbZ1PbgdJZAFsaQAjX0hsdEwkZdxLT+YGxd:bUMme/1kZgtkKEwmdK

Score

10^/10

formbook g10y discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g10y

Decoy

oofingpro.xyz

sertc.xyz

toaas.xyz

appysnacks.store

julio.tech

nfluencer-marketing-67952.bond

rginine888.store

haampion-slotss.bet

anicajet.xyz

lumber-jobs-91014.bond

eartsandco.store

ctualiza.icu

iso23.vip

udihebohofficial.boats

lackt.xyz

ymonejohnsonart.online

dereji.info

msqdhccc3.shop

auptstadttarif.online

overebyvibes.online

Targets

- Target
  
  z57novaordempdf.exe
- Size
  
  831KB
- MD5
  
  1389296f0946aea604c44a973f58f8c2
- SHA1
  
  9cba48137f602affcb479dad998a47b0ae0ff6b2
- SHA256
  
  fa3e852fa9dde2dde0c1e2254f81059f8c2f1088596e0fb9aa2e37583c26ead5
- SHA512
  
  62e60fd761804bbec0aa8be992b16d8cb1fd052ade0f877cf89f9ea4372f3768742957ab3fc84302a16039708738c4074e2f43972a048ff1d73d15cc33e8019f
- SSDEEP
  
  12288:UOUM8HrDxIVbZ1PbgdJZAFsaQAjX0hsdEwkZdxLT+YGxd:bUMme/1kZgtkKEwmdK
Score

10^/10

formbook g10y discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookg10ydiscoveryexecutionratspywarestealertrojan

behavioral2

formbookg10ydiscoveryexecutionratspywarestealertrojan