formbook | 210c8c40bffff97e6fc7fc670e3a08d67c55307ec73295eff3d2c8b88983a02f | Triage

Sharing

General

Target

210c8c40bffff97e6fc7fc670e3a08d67c55307ec73295eff3d2c8b88983a02f
Size

681KB
Sample

250204-hwee5ayrhv
MD5

f3c65d21c85f13bd02bd9ccde0fe7204
SHA1

f6cccacd078dc1ba74271fe901b6755fe6bbc3a0
SHA256

210c8c40bffff97e6fc7fc670e3a08d67c55307ec73295eff3d2c8b88983a02f
SHA512

8e496e7c853f247e48e4f9fac912c9a2738a178d201cbbe4340464fa84be7801d6b7cd6172f6c1fc47db6b1e134ea1cb9742f3b92e80846b069986e74845dea3
SSDEEP

12288:JYSGuxswecl9UWCUnRAD4vksa3nnZSNz/MZ9b8qEE71el9EihGj3NykXnxzA:UwegCUGD4csUZYz0Z9dh5icj34ux

Score

10^/10

formbook kmge discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

i54ly657ur.autos

stove-10000.bond

furkanenes.live

foziaclothing.shop

peron.app

landscaping-services-88568.bond

home-remodeling-96005.bond

offersnow-store.shop

apsida.tech

ux-design-courses-90368.bond

nb-event-b2b.online

2tdb3dk65m.skin

juniper.fit

eurosirel.info

web-cfe.one

a48268104.top

darkoxygen.info

beautysideup.shop

solar-battery-34557.bond

dib57.top

Targets

- Target
  
  210c8c40bffff97e6fc7fc670e3a08d67c55307ec73295eff3d2c8b88983a02f
- Size
  
  681KB
- MD5
  
  f3c65d21c85f13bd02bd9ccde0fe7204
- SHA1
  
  f6cccacd078dc1ba74271fe901b6755fe6bbc3a0
- SHA256
  
  210c8c40bffff97e6fc7fc670e3a08d67c55307ec73295eff3d2c8b88983a02f
- SHA512
  
  8e496e7c853f247e48e4f9fac912c9a2738a178d201cbbe4340464fa84be7801d6b7cd6172f6c1fc47db6b1e134ea1cb9742f3b92e80846b069986e74845dea3
- SSDEEP
  
  12288:JYSGuxswecl9UWCUnRAD4vksa3nnZSNz/MZ9b8qEE71el9EihGj3NykXnxzA:UwegCUGD4csUZYz0Z9dh5icj34ux
Score

10^/10

formbook kmge discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookkmgediscoveryexecutionratspywarestealertrojan

behavioral2

formbookkmgediscoveryexecutionratspywarestealertrojan