formbook | 683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9 | Triage

Sharing

General

Target

683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe
Size

825KB
Sample

250204-emsdvavkby
MD5

1fc0248bfd3e90bf20cbd80c6ef6e55e
SHA1

bedfb92db83d6c83c09e258bf17494cd54e757bc
SHA256

683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9
SHA512

76f448ff8978a7af8590247a91a90a86cd5fb9bf90789bb52bae5c5926057cec6b5167f7a9ab2dd55fe624286b6fc519a5a90548ba54f4c49f875d85a49c73df
SSDEEP

12288:bzSggsi23jtK05tsNfBCwnM5DTXW3k12JbTIj10B93kiR+QQ2G:bzxk05t0ZCS2T+k12a1K0iR+t2

Score

10^/10

formbook egs9 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

egs9

Decoy

alliancecigars.net

35893.pizza

selidik.cloud

evel789-aman.club

wqsbr5jc.vip

corretoraplanodesaude.shop

balikoltada.xyz

play-vanguard-nirvana.xyz

paktuaslotxcxrtp.xyz

retailzone1997.shop

jk77juta-official.cloud

godmoments.app

flippinforbidsfrear.cloud

234bets.net

cryptobiz.tech

construction-jobs-50157.bond

cuficdarbiesdarleen.cloud

t59bm675ri.skin

ondqwxl.top

kpde.xyz

Targets

- Target
  
  683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9.exe
- Size
  
  825KB
- MD5
  
  1fc0248bfd3e90bf20cbd80c6ef6e55e
- SHA1
  
  bedfb92db83d6c83c09e258bf17494cd54e757bc
- SHA256
  
  683e3979cc09db086095cbe840901b82951df941ed461f89a67b98bd0ffe5ff9
- SHA512
  
  76f448ff8978a7af8590247a91a90a86cd5fb9bf90789bb52bae5c5926057cec6b5167f7a9ab2dd55fe624286b6fc519a5a90548ba54f4c49f875d85a49c73df
- SSDEEP
  
  12288:bzSggsi23jtK05tsNfBCwnM5DTXW3k12JbTIj10B93kiR+QQ2G:bzxk05t0ZCS2T+k12a1K0iR+t2
Score

10^/10

formbook egs9 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookegs9discoveryexecutionratspywarestealertrojan

behavioral2

formbookegs9discoveryexecutionratspywarestealertrojan