formbook | d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d | Triage

Sharing

General

Target

Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d
Size

617KB
Sample

250326-pcb9zs1zaz
MD5

5d917b070d148e8c043a3df37d8d0d6f
SHA1

75cd40a178208432228ce736a5c4eb35b2d89b44
SHA256

d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d
SHA512

cff6b80d91e5577aaf3194256006042db1397b473a1fbdc98337ff98dd1a553bbb920c8c3c663e24949b49d545ef1c39c4024fcdf0b5e5d9d52717bf01b43081
SSDEEP

12288:qPFY/Bdue1pIemCBnH6h+/wfktcLkdseWQnYK7u4XFBbHovTY26:qPFG31XV0+/wfbkd37YK7u418TW

Score

10^/10

formbook my18 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

my18

Decoy

ladproductreviews.shop

ivor.online

odesfactory.xyz

shim.shop

elonyyoung.net

gac.online

zgtl.click

27652.locker

omelyrooms.online

ermanosu.online

offee-machine-19139.bond

91033.pro

ovedirectiveteam.info

tmsolcoinews.uno

lizz.finance

uyurbanaraava.shop

anufixo.xyz

ypercog.xyz

itblog.tech

reshdirectivesolutions.info

Targets

- Target
  
  Sigmanly_d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d
- Size
  
  617KB
- MD5
  
  5d917b070d148e8c043a3df37d8d0d6f
- SHA1
  
  75cd40a178208432228ce736a5c4eb35b2d89b44
- SHA256
  
  d8c0f4739b6a46ee8c46a6af4622158b9a866b6eabd1dd6a88228856520b714d
- SHA512
  
  cff6b80d91e5577aaf3194256006042db1397b473a1fbdc98337ff98dd1a553bbb920c8c3c663e24949b49d545ef1c39c4024fcdf0b5e5d9d52717bf01b43081
- SSDEEP
  
  12288:qPFY/Bdue1pIemCBnH6h+/wfktcLkdseWQnYK7u4XFBbHovTY26:qPFG31XV0+/wfbkd37YK7u418TW
Score

10^/10

formbook my18 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookmy18discoveryexecutionratspywarestealertrojan

behavioral2

formbookmy18discoveryexecutionratspywarestealertrojan