formbook | 16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100 | Triage

Sharing

General

Target

16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe
Size

631KB
Sample

250326-eljqbazrv6
MD5

485d4375ab8e346f7889e737df009764
SHA1

93cc3d5ec9b1052e68185c42f22fe7bd55b055db
SHA256

16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100
SHA512

d436975a98bbd80210839297d03243f7f9facc87cb5c143ea2d28c62769539502f665661efbbb29d283c376f5e04f223778594e2fcd6ac1e3add38882e8cec9b
SSDEEP

12288:wyjvOn6nzxBZY8ZdLFgxfNH1aae0W8oUYrYB9QdTa7UL:Zj2n6n3qId5CaaeqoUTTQ5aQL

Score

10^/10

formbook bs03 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bs03

Decoy

aindirectiveteam.info

itchen-remodeling-up.world

avadacasino21.buzz

urumsbicard.net

ental-care-2762127.fyi

raveline.tech

camtech.online

leartec.health

odkacasino-333.buzz

oans-credits-73480.bond

ubstrate360.xyz

dalang.click

on66my.xyz

elegilgh.run

wlf.dev

ex-in-wien.net

riminal-mischief.cfd

0ns.pro

klopcy.xyz

ssetexcelstrongmanageroot.xyz

Targets

- Target
  
  16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100.exe
- Size
  
  631KB
- MD5
  
  485d4375ab8e346f7889e737df009764
- SHA1
  
  93cc3d5ec9b1052e68185c42f22fe7bd55b055db
- SHA256
  
  16fd6d298d5601766ee8fd0e0164898436f9cad9ac79927a14af387166aac100
- SHA512
  
  d436975a98bbd80210839297d03243f7f9facc87cb5c143ea2d28c62769539502f665661efbbb29d283c376f5e04f223778594e2fcd6ac1e3add38882e8cec9b
- SSDEEP
  
  12288:wyjvOn6nzxBZY8ZdLFgxfNH1aae0W8oUYrYB9QdTa7UL:Zj2n6n3qId5CaaeqoUTTQ5aQL
Score

10^/10

formbook bs03 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbs03discoveryexecutionratspywarestealertrojan

behavioral2

formbookbs03discoveryexecutionratspywarestealertrojan