formbook | 3c66ec3ccce10af7e58a360fbf188a1c879ad04a37c8fdc29ee7ebb75a28104f | Triage

Sharing

General

Target

05022025_0153_03022025_ИРБИС 350 pdf.exe.xz
Size

583KB
Sample

250205-ca6dtstlbx
MD5

75759b6c8b64ca8fa5771962c01dd370
SHA1

a18e5ea388375e67c29aeb65fb34210e1b12837a
SHA256

3c66ec3ccce10af7e58a360fbf188a1c879ad04a37c8fdc29ee7ebb75a28104f
SHA512

8b64e9247bcc44e5edab905b3004743f736ad705744136e6231274aaf19adc3313a7365040947a7f1cafed14a7cc937fe188c0e0f54003aea986bfb1f13d603e
SSDEEP

12288:CAH5ZEPKYWCUnR2D4vkXaZnnZSTz/AZ9b+qEE71elAEihGY3NHkXnxzu:CYgPaCUsD4cXYZ0z4Z9nhOicY39uxK

Score

10^/10

formbook kmge discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

i54ly657ur.autos

stove-10000.bond

furkanenes.live

foziaclothing.shop

peron.app

landscaping-services-88568.bond

home-remodeling-96005.bond

offersnow-store.shop

apsida.tech

ux-design-courses-90368.bond

nb-event-b2b.online

2tdb3dk65m.skin

juniper.fit

eurosirel.info

web-cfe.one

a48268104.top

darkoxygen.info

beautysideup.shop

solar-battery-34557.bond

dib57.top

Targets

- Target
  
  05022025_0153_03022025_ИРБИС 350 pdf.exe
- Size
  
  681KB
- MD5
  
  f3c65d21c85f13bd02bd9ccde0fe7204
- SHA1
  
  f6cccacd078dc1ba74271fe901b6755fe6bbc3a0
- SHA256
  
  210c8c40bffff97e6fc7fc670e3a08d67c55307ec73295eff3d2c8b88983a02f
- SHA512
  
  8e496e7c853f247e48e4f9fac912c9a2738a178d201cbbe4340464fa84be7801d6b7cd6172f6c1fc47db6b1e134ea1cb9742f3b92e80846b069986e74845dea3
- SSDEEP
  
  12288:JYSGuxswecl9UWCUnRAD4vksa3nnZSNz/MZ9b8qEE71el9EihGj3NykXnxzA:UwegCUGD4csUZYz0Z9dh5icj34ux
Score

10^/10

formbook kmge discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookkmgediscoveryexecutionratspywarestealertrojan

behavioral2

formbookkmgediscoveryexecutionratspywarestealertrojan