formbook | 8e06ed422edfc7904592e8c8cdacebd0ad5118c4b3dcb3daa404e8e4d97f6e5a | Triage

Sharing

General

Target

NGACIVADAIR25002.exe
Size

931KB
Sample

250205-hxqvjsvrhs
MD5

17b3c938fbf0a3f652288ad1128385a7
SHA1

8818efc1a67778d016396db9aac4a23a30e2c1b9
SHA256

8e06ed422edfc7904592e8c8cdacebd0ad5118c4b3dcb3daa404e8e4d97f6e5a
SHA512

9763f8865a0a334c960b42a05c6157f844bb29b23a4fd0a042b385e7360fc22e9b5602806a20933d5e4442aef0dc30fa16a98eb920d97f4678fa0b7d7456ec4a
SSDEEP

24576:OyjdTYjz6FxM8JGjHlhYN52IYpOG9s+3NI+pxNaCkTZnc:nTOz6FqlHeB4s0kCkTBc

Score

10^/10

formbook b02a discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b02a

Decoy

nnovate.host

yrvo.shop

obify.party

55665.one

vlisazouasiul.store

arjohbs.shop

mjsccc5716.shop

nfluencer-marketing-86606.bond

atellite-internet-74549.bond

arehouse-inventory-82506.bond

kanzaturf.net

airbypatrickmcguire.net

90880a15.buzz

ancake888.info

hopcroma.store

usinessloanscanada524285.icu

mdjr.world

9kct.xyz

ombrd.finance

luratu.xyz

Targets

- Target
  
  NGACIVADAIR25002.exe
- Size
  
  931KB
- MD5
  
  17b3c938fbf0a3f652288ad1128385a7
- SHA1
  
  8818efc1a67778d016396db9aac4a23a30e2c1b9
- SHA256
  
  8e06ed422edfc7904592e8c8cdacebd0ad5118c4b3dcb3daa404e8e4d97f6e5a
- SHA512
  
  9763f8865a0a334c960b42a05c6157f844bb29b23a4fd0a042b385e7360fc22e9b5602806a20933d5e4442aef0dc30fa16a98eb920d97f4678fa0b7d7456ec4a
- SSDEEP
  
  24576:OyjdTYjz6FxM8JGjHlhYN52IYpOG9s+3NI+pxNaCkTZnc:nTOz6FqlHeB4s0kCkTBc
Score

10^/10

formbook b02a discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookb02adiscoveryexecutionratspywarestealertrojan

behavioral2

formbookb02adiscoveryexecutionratspywarestealertrojan