formbook

General

Target

fdcd11dcd6a96d4ddfefaef7a186277e84c147fa7e33c0994b2deb384e8d0487
Size

4.6MB
Sample

250325-zs8y1awl13
MD5

5661a7ac136a1ff301eacdddda1d1743
SHA1

84b6a2934460af354ab0125c0775360699ea5021
SHA256

fdcd11dcd6a96d4ddfefaef7a186277e84c147fa7e33c0994b2deb384e8d0487
SHA512

7b5348c79b9b9117f71a245ef08d92e41ee37080202de4610ace16dd819e69db5e4830e485d2eca3da3ba0a2fdee599e8824eb795788d04d88e75206883963b1
SSDEEP

98304:CxC7eLLGccR/XQljKzt37waNGZrJcnJuV+epibG07wIzplmOBQ2b:CwXtQmzt37Or6YWG07wIqOx

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gt23

Decoy

awkeyesunspotsunfire.top

valbardrc.store

idadari29nice.makeup

haymu.shop

hybf2025.sbs

obbiny.xyz

dlecore.xyz

rabbeat.live

irelily.vip

oahnyn.shop

om-massfadq.top

lizalyn.work

irlo.shop

hostsolver.store

ylastpics.info

adfgt.xyz

cis.club

iskol.fun

riceflashradarlab.xyz

enovhojecnhi.shop

Targets

- Target
  
  AWB_Ref509428922pdf.exe
- Size
  
  633KB
- MD5
  
  573c3aa20cab92c93663f0e475323557
- SHA1
  
  647598a3a90b23787b83f0c23ba26a8b4b779592
- SHA256
  
  9ebea5ecb5f86bccf0564f563a35665876e5bcb1b66285a19965af5f24534b4a
- SHA512
  
  06fbf4dfea02ac62c81c9e47581d779891e2da9113ed45f349af2e4c52b86da9701a807872a5cfc059c5553de63bab3a24953a06a63d82cf8bf877c3dc538694
- SSDEEP
  
  6144:WTTzzJeyp1RnC7HJnIApeX9vLSaXmWFiB3WOk6f7h9WgFER0u+GIIIIIIIhIIIIw:GTzNeypHnC7HdeXZEWFTOk6fmBm5GV
Score

10^/10

formbook gt23 discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  tier0_s64.dll
- Size
  
  412KB
- MD5
  
  de738f87b7a558476d73d590ea20a3b9
- SHA1
  
  ea2da2c8b5c811ea798805d3e77250f12cf6da76
- SHA256
  
  87b2d5cd0f667d8f72468ffd146dcf2aebdf7e65db575c04ffe6a4df9c1f1850
- SHA512
  
  934a24556d0a4dd7643c03f96cb057ff25bceecbc9795c4a30884aecc5afd441fa99bfe0d978c8879f3fb10260373f055731f51a18775c55de68fa716bccb81b
- SSDEEP
  
  6144:xgK7Z8Fd7IQx/XYn7z504xbPnTfMrqS63qqp5WEoXWGhYcRo4gFYRu7oJzBV9:hZ8Fd7IM/Xwnz2qS63nYEe6uo4gxyB
Score

1^/10
behavioral3 behavioral4
- Target
  
  vstdlib_s64.dll
- Size
  
  10.0MB
- MD5
  
  897e2193493cfd989d82f6a559bf1b2a
- SHA1
  
  df837bc19bf863ce466588ca3121fed884922b90
- SHA256
  
  92958c2e2d940de78a7f5352b00890f291d568816a8fe1b2bf8c572941644ec0
- SHA512
  
  761d12c8ebf7df3bbdc7cddf1220065a4e13780057c99b2e43bd653f1c00154ad9e1c8f2236373d54c985ee710c8847813223d244ad170c678593b3ce8e97996
- SSDEEP
  
  98304:nt/DDvVWLvBmmZCPPSVHxySAknm58mQzKSawKlhW1TS28kvGGp:t1WLvBzCSVHxySAknm58mHw6hKVGGp
Score

10^/10

formbook gt23 discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6