formbook | ac59fca59ca403a16af2066aef8c4e0df4ef0193e8c4b8fe153144384d00be2d | Triage

Sharing

General

Target

ac59fca59ca403a16af2066aef8c4e0df4ef0193e8c4b8fe153144384d00be2d
Size

679KB
Sample

250203-ms56ws1jgp
MD5

ade005f0c8b870988e8958645ebfbfc4
SHA1

57e863cca6d9218b002811be571bc46388d99235
SHA256

ac59fca59ca403a16af2066aef8c4e0df4ef0193e8c4b8fe153144384d00be2d
SHA512

564955aaf52fea80788c491a396cab6f0e34cc67dbe35e9ba2c71af26eda6e2c88e3eb16ecc1e7ae86ef686048972eacd31761985cd42b06d2bb72d49568fbc0
SSDEEP

12288:sYxiDmswecl9kaxe6YCS7soBnvRYhmlmgvzPMpIbnL9fo6KRJNLYgja4KKR:+weMcqoBnvRimhPkE+Vfja4

Score

10^/10

formbook g10y discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g10y

Decoy

oofingpro.xyz

sertc.xyz

toaas.xyz

appysnacks.store

julio.tech

nfluencer-marketing-67952.bond

rginine888.store

haampion-slotss.bet

anicajet.xyz

lumber-jobs-91014.bond

eartsandco.store

ctualiza.icu

iso23.vip

udihebohofficial.boats

lackt.xyz

ymonejohnsonart.online

dereji.info

msqdhccc3.shop

auptstadttarif.online

overebyvibes.online

Targets

- Target
  
  ac59fca59ca403a16af2066aef8c4e0df4ef0193e8c4b8fe153144384d00be2d
- Size
  
  679KB
- MD5
  
  ade005f0c8b870988e8958645ebfbfc4
- SHA1
  
  57e863cca6d9218b002811be571bc46388d99235
- SHA256
  
  ac59fca59ca403a16af2066aef8c4e0df4ef0193e8c4b8fe153144384d00be2d
- SHA512
  
  564955aaf52fea80788c491a396cab6f0e34cc67dbe35e9ba2c71af26eda6e2c88e3eb16ecc1e7ae86ef686048972eacd31761985cd42b06d2bb72d49568fbc0
- SSDEEP
  
  12288:sYxiDmswecl9kaxe6YCS7soBnvRYhmlmgvzPMpIbnL9fo6KRJNLYgja4KKR:+weMcqoBnvRimhPkE+Vfja4
Score

10^/10

formbook g10y discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookg10ydiscoveryexecutionratspywarestealertrojan

behavioral2

formbookg10ydiscoveryexecutionratspywarestealertrojan