formbook | e99f42afcf5f066007e710957563db0122ee9eac3d3d642afccb25c5b1fa2388 | Triage

Sharing

General

Target

06022025_1513_06022025_Doc_1220625.bz
Size

615KB
Sample

250206-sqkp3aylgt
MD5

c9e67c5123d62c2bccfc05ba429ecc66
SHA1

4a5dce4160a0a082bf94fb4d5f8e4d801ce3f41f
SHA256

e99f42afcf5f066007e710957563db0122ee9eac3d3d642afccb25c5b1fa2388
SHA512

1a303e8d4761b1ee853a273f46514000ea4b6e236867247239abb2103c96a9559208dc842bc6471c4f774f0c69dbbfc898f6bcaeefa91c187bbd13913bc92f76
SSDEEP

12288:Ty95m5zID6Ik8xpik+LZRSVF63Jc7SeS1BNoLuuOoXz3:ezhk8xItLLYU3Jc+eSBKLXXz

Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

- Target
  
  Doc_ 1220625.exe
- Size
  
  738KB
- MD5
  
  27207e6788f168b5c7fc25cf4715004d
- SHA1
  
  98765371928f698680be85d1ccd11ce4ae6b095d
- SHA256
  
  e4522a65f679efbfcf6604c6d3636c62d8d5ccd8fb413d0f446583804424fd77
- SHA512
  
  05b9abf864c431bc554e930a12c90a2729fba13a25f562b0f24c959f95d9383ef0d924a43fe38b39d4124341f98fbf33d1b27e8ad9f2e6add94f7a34b2941c53
- SSDEEP
  
  12288:rRWyvCiBZ4JwtNXNmuPQdotbKQxzpyCi9mOocITX2dN1IGdqCYA8B6slRIp:1WyvDZ4JwtjZPk4mC1oKcITXC7dqCYkr
Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbc01discoveryexecutionratspywarestealertrojan

behavioral2

formbookbc01discoveryexecutionratspywarestealertrojan