formbook | 6da0e6f30c344f1bf21e4e24f3682587e005d4eef92b153bde25f94b70dbbc05 | Triage

Sharing

General

Target

Order 3078.r7.zip
Size

624KB
Sample

250204-n33desvqaz
MD5

734231d1654ce8b46f869e7819b143e3
SHA1

fa500245d6ccd4d29c39c84a291043df0d6316a8
SHA256

6da0e6f30c344f1bf21e4e24f3682587e005d4eef92b153bde25f94b70dbbc05
SHA512

bc64b54598cc4a65aba5a264517a0e51b16444fef10fb35ada70d0a3979256ac2992592985c7d293e23dc263b733ae83fefef47aa4ee26141e9fbd3ad3977b3a
SSDEEP

12288:A6GG5JjXR4epM1IvFg6nplPNIcwHulQzIs5WGMhJDjumqWJj4H5fRX8/eL:Dx5VXCZ1W+6pVa0eJcbJXCWJj4H5fz

Score

10^/10

formbook a01d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Targets

- Target
  
  Order 3078.exe
- Size
  
  770KB
- MD5
  
  2c69ec0bd7c4c195a7b6e01274ca4ddf
- SHA1
  
  3346a47b05e495951316a54315716599f48a29f4
- SHA256
  
  b2fe57ff7504883c1a5050ccf0a6cfe45087a43bea4ce92aec075be6f1852a29
- SHA512
  
  36efcc9dc6bf49507565053379348b1bd072b2452f73b5dc4fc4535d4772fe64ba2c3b838dfd11059cbca08165a4f47d895ca682cadbcc9b1169c8034054f24a
- SSDEEP
  
  12288:Ivdm+wecl9FXW/vsIUhg4/BkRPYHulQXIsbWGKhJHlu4JW:Ms+wegXWn4/BkRPLMJCjJF
Score

10^/10

formbook a01d discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooka01ddiscoveryexecutionratspywarestealertrojan

behavioral2

formbooka01ddiscoveryexecutionratspywarestealertrojan