formbook | 8adda0f30418ad3d9b31781081a98942ebe359026525315f33665b7d27a58d45 | Triage

Sharing

General

Target

8adda0f30418ad3d9b31781081a98942ebe359026525315f33665b7d27a58d45
Size

599KB
Sample

250203-m1qq6s1ldp
MD5

af35f75c94343f35860ed9b94e22eba3
SHA1

3fc16ae50536effbef2c03154377571dce026c19
SHA256

8adda0f30418ad3d9b31781081a98942ebe359026525315f33665b7d27a58d45
SHA512

a1ffbf30617fecf0f653a42b04541f9f3b7caa1ad9559e824099e4041c593a8fe988b4ecfe44ba2da4ef1ffba8c2153858bab98fedba6aa1815d34164a33a57c
SSDEEP

12288:sRT3pLB4935ueKYqS7My/xvReJyjmgF9Pw9gSolOkWA3:W3Q3Ryy/xvR+yxPhEM

Score

10^/10

formbook g10y discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g10y

Decoy

oofingpro.xyz

sertc.xyz

toaas.xyz

appysnacks.store

julio.tech

nfluencer-marketing-67952.bond

rginine888.store

haampion-slotss.bet

anicajet.xyz

lumber-jobs-91014.bond

eartsandco.store

ctualiza.icu

iso23.vip

udihebohofficial.boats

lackt.xyz

ymonejohnsonart.online

dereji.info

msqdhccc3.shop

auptstadttarif.online

overebyvibes.online

Targets

- Target
  
  nová objednávka pdf.exe
- Size
  
  679KB
- MD5
  
  ade005f0c8b870988e8958645ebfbfc4
- SHA1
  
  57e863cca6d9218b002811be571bc46388d99235
- SHA256
  
  ac59fca59ca403a16af2066aef8c4e0df4ef0193e8c4b8fe153144384d00be2d
- SHA512
  
  564955aaf52fea80788c491a396cab6f0e34cc67dbe35e9ba2c71af26eda6e2c88e3eb16ecc1e7ae86ef686048972eacd31761985cd42b06d2bb72d49568fbc0
- SSDEEP
  
  12288:sYxiDmswecl9kaxe6YCS7soBnvRYhmlmgvzPMpIbnL9fo6KRJNLYgja4KKR:+weMcqoBnvRimhPkE+Vfja4
Score

10^/10

formbook g10y discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookg10ydiscoveryexecutionratspywarestealertrojan

behavioral2

formbookg10ydiscoveryexecutionratspywarestealertrojan