formbook | f4cbfe2cdaff940a15456017b0e1912aee9bf5af2839550c6796456560143f2f | Triage

Sharing

General

Target

scancopy shipping pdf.r16.rar
Size

604KB
Sample

250206-lv5sgatjgl
MD5

eb891c16b488f00fa4f4ab92712e02b1
SHA1

a6b87b59443886106172b82ce922809c45282d03
SHA256

f4cbfe2cdaff940a15456017b0e1912aee9bf5af2839550c6796456560143f2f
SHA512

227580fc912bec943b568cc55539114ea9fcd93bc39bf46232ab064e751d899e79db4612432d1fcd9ac5020593d38a2fddae0801e3bfc10f955b6f7d8692067a
SSDEEP

12288:Us3JMIUwAOQE8tGzBTOjjv/pMtdh7cRSm+LC4t3Lxq9eEeGX6SGVo:Uk6I3zUfvxWh4F+LCY3LaeEeG6u

Score

10^/10

formbook b02a discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b02a

Decoy

nnovate.host

yrvo.shop

obify.party

55665.one

vlisazouasiul.store

arjohbs.shop

mjsccc5716.shop

nfluencer-marketing-86606.bond

atellite-internet-74549.bond

arehouse-inventory-82506.bond

kanzaturf.net

airbypatrickmcguire.net

90880a15.buzz

ancake888.info

hopcroma.store

usinessloanscanada524285.icu

mdjr.world

9kct.xyz

ombrd.finance

luratu.xyz

Targets

- Target
  
  scancopy shipping pdf.exe
- Size
  
  737KB
- MD5
  
  370347aba2b49870171c625a63759e96
- SHA1
  
  662659b756079679b2f68da0a9da05dcbd4885ef
- SHA256
  
  e9a1f5e4de3dfdf6cbd66863a6fa6a638cce8fa9555991756820b5af48682c79
- SHA512
  
  e82de75505af21d52177dfc579a91898726b71fdc8d397058290c0286c53c9079caad56b214302ebd1c715ae7afcbbfdfe439ef75d1d1c670100553aea381c19
- SSDEEP
  
  12288:J5JF8B6slRIp8Tim9uBNyxVjoy15+2hE3vtlM1PH2ZGV3CdCrccu:J5NsRGGim9uBNyxVjRj+jFSHWGV3Cd
Score

10^/10

formbook b02a discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookb02adiscoveryexecutionratspywarestealertrojan

behavioral2

formbookb02adiscoveryexecutionratspywarestealertrojan