formbook | 2ac3cd9003ac22ebc5e90354bea74a0152c91421bcb256c58cff14f71fd1ef4d | Triage

Sharing

General

Target

New order.zip
Size

779KB
Sample

250204-tnkgys1mh1
MD5

54b60b88f1730fb18cd9ea0bdd35aa62
SHA1

7c21e6cce8a3c3d1050c2a6c0660e0845d825192
SHA256

2ac3cd9003ac22ebc5e90354bea74a0152c91421bcb256c58cff14f71fd1ef4d
SHA512

4b4daa814a4b7dfdd1d98409e08d96bae6e9da7b6eed43b0a559e464d930c5e49b849279def5011df2c6ad2cc4cb4d7b306d4cf1003392211b736a8f25b1deba
SSDEEP

24576:wd3VxUBtbIoc42RwwCiDuI3ci0SSI2h2U3dc+wW:+VG3jqPCiaY90SSF2Z+9

Score

10^/10

formbook a01d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Targets

- Target
  
  New order.exe
- Size
  
  908KB
- MD5
  
  624e535330a688d0e78e8a4e4ca70d97
- SHA1
  
  07161ed138f1ee9b5463391d6398b8f85a9dd2b6
- SHA256
  
  30af910477a154c4b07fa1cbb928f78bc7d714329f725b2a1f2cf7f3139ce351
- SHA512
  
  ce5e3b37da471efac83f2c9b0f1554756385af0cc68589eec427924fd7b61d561863c309aca01f04019c887196e9da3c2e4396a08082b667edae0b1a84536fb3
- SSDEEP
  
  12288:h8SCnWMYou4yCyCx++xHDZqhxGrK6PJ9UqOMBXaWpelivORs9iV5V:h8SCnWMvyCyC8+xkxGnDUqOM1Gi22k3
Score

10^/10

formbook a01d discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooka01ddiscoveryexecutionratspywarestealertrojan

behavioral2

formbooka01ddiscoveryexecutionratspywarestealertrojan