formbook | 885b8f641e85513c6b1144673619ff7aa00138b27c7d5431a265f4fc5b615b5c | Triage

Sharing

General

Target

885b8f641e85513c6b1144673619ff7aa00138b27c7d5431a265f4fc5b615b5c
Size

607KB
Sample

250203-n41afszqcw
MD5

4b1d24ad86930bd6e58709ec26ea89d2
SHA1

2f82dfcf17f1b09326fc34b4fa9b8867149a2a88
SHA256

885b8f641e85513c6b1144673619ff7aa00138b27c7d5431a265f4fc5b615b5c
SHA512

14e07b3f4af2d53150db7318b4644762d9a6a8a0159ea29083ea1a3e2449efe1ccd513acb5acfd96c30286bf8188edf3bab5ebaf412f762f2972bd9e91cb86ab
SSDEEP

12288:tsOOrYZgkCOiSXZctvcdhHpXxDs1Kfkl4bhwEItYKjAdYE:taYZgqiIZMvcDHpBCIWAWkKMf

Score

10^/10

formbook g43m discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g43m

Decoy

8328.shop

kronoseletronicos.online

pasanghoki3.homes

comitatogroscavallo.info

online-advertising-96729.bond

cpt1025.top

news-xzurufo.xyz

zycr.shop

loanplan.xyz

osipovs.digital

pgflow.cloud

alooytv17.shop

swirlstakedtawkee.cloud

sipoja.shop

senior-living-17169.bond

junepages.online

heavydutyweld.shop

smarminds.xyz

alistika.info

staplerl.shop

Targets

- Target
  
  Payroll Overpayment_pdf.exe
- Size
  
  693KB
- MD5
  
  dc0cf0105719f618a1bc3559f392346c
- SHA1
  
  d3ce0d937f4014e94be5b4ed2f6aacfe36feb634
- SHA256
  
  68f9c7b5496c4d7699179f8c6f7a79626a03da699cd1986036f03af725218c45
- SHA512
  
  ce3b00a37c1450e87e819121c5370d324e631dcdbdfc01b0c4e4c76f340caa8e0bb1306a4f18a79b63955a3641f8f0ddcff61fda4be8fbab10b8a1d9a9dc8ded
- SSDEEP
  
  12288:JWzlWswecl9+1C/CiSxZcoTBPs/GZP6xvh0pbFOgLLYEAl4bhwSItprbkjkR:IweL1HicZfhs/J0XLLJiAWTrbd
Score

10^/10

formbook g43m discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookg43mdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookg43mdiscoveryexecutionratspywarestealertrojan