formbook | f206c3a093c6174558ea0646b12e262d8549bee2255418d8968d3e0bb7218330 | Triage

Sharing

General

Target

f206c3a093c6174558ea0646b12e262d8549bee2255418d8968d3e0bb7218330.exe
Size

761KB
Sample

250207-gne61ssqbn
MD5

bc2dc18dd7aa454ec5fbfc577b222a80
SHA1

6e61da98308d4a79f8a365163c78dd42e4620f97
SHA256

f206c3a093c6174558ea0646b12e262d8549bee2255418d8968d3e0bb7218330
SHA512

89c3b46e02fd78785dba75983f038c0bd3362d3359bea8601ef3f06aec40481e8ec103da554b45112bbd9e9b2ff4d7292aeed3922db4e89414c9f4c26fa98b22
SSDEEP

12288:xSHiFvOGRwS4Sydcb8bfUosGH6d3TpWPYjG+UZdJAyhBVEU28B6slRIp:4HiUGRsSyGbydHG3TpjjG+UrZuU6sRG

Score

10^/10

formbook kmge discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

i54ly657ur.autos

stove-10000.bond

furkanenes.live

foziaclothing.shop

peron.app

landscaping-services-88568.bond

home-remodeling-96005.bond

offersnow-store.shop

apsida.tech

ux-design-courses-90368.bond

nb-event-b2b.online

2tdb3dk65m.skin

juniper.fit

eurosirel.info

web-cfe.one

a48268104.top

darkoxygen.info

beautysideup.shop

solar-battery-34557.bond

dib57.top

Targets

- Target
  
  f206c3a093c6174558ea0646b12e262d8549bee2255418d8968d3e0bb7218330.exe
- Size
  
  761KB
- MD5
  
  bc2dc18dd7aa454ec5fbfc577b222a80
- SHA1
  
  6e61da98308d4a79f8a365163c78dd42e4620f97
- SHA256
  
  f206c3a093c6174558ea0646b12e262d8549bee2255418d8968d3e0bb7218330
- SHA512
  
  89c3b46e02fd78785dba75983f038c0bd3362d3359bea8601ef3f06aec40481e8ec103da554b45112bbd9e9b2ff4d7292aeed3922db4e89414c9f4c26fa98b22
- SSDEEP
  
  12288:xSHiFvOGRwS4Sydcb8bfUosGH6d3TpWPYjG+UZdJAyhBVEU28B6slRIp:4HiUGRsSyGbydHG3TpjjG+UrZuU6sRG
Score

10^/10

formbook kmge discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookkmgediscoveryexecutionratspywarestealertrojan

behavioral2

formbookkmgediscoveryexecutionratspywarestealertrojan