formbook | 4023f16ab570c96bbfc7d6c9685d137382c82029c15df71696acdc20023dd31b | Triage

Sharing

General

Target

Sigmanly_4023f16ab570c96bbfc7d6c9685d137382c82029c15df71696acdc20023dd31b
Size

678KB
Sample

250326-pszp8a1qz8
MD5

acd4b8a4942027c60549e8adb8195727
SHA1

b92a0256ced0778c1892e4f7457679e9dcf626db
SHA256

4023f16ab570c96bbfc7d6c9685d137382c82029c15df71696acdc20023dd31b
SHA512

529cf1b995f99cfaf439f10cba7def41bf72f6290f107558511988acfdfde9c68f6f5cfb96b329abf99066b30e64a48b0698a014a388233103f4003285a3604b
SSDEEP

12288:mQTPphPpFk6TzS+rlapC/BdEZaPe/jS/9JZZDnWlnlDlDkSI6UWeK4:rhPpF+elU6BdYu1JrWllxkl6P

Score

10^/10

formbook bs03 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bs03

Decoy

aindirectiveteam.info

itchen-remodeling-up.world

avadacasino21.buzz

urumsbicard.net

ental-care-2762127.fyi

raveline.tech

camtech.online

leartec.health

odkacasino-333.buzz

oans-credits-73480.bond

ubstrate360.xyz

dalang.click

on66my.xyz

elegilgh.run

wlf.dev

ex-in-wien.net

riminal-mischief.cfd

0ns.pro

klopcy.xyz

ssetexcelstrongmanageroot.xyz

Targets

- Target
  
  Sigmanly_4023f16ab570c96bbfc7d6c9685d137382c82029c15df71696acdc20023dd31b
- Size
  
  678KB
- MD5
  
  acd4b8a4942027c60549e8adb8195727
- SHA1
  
  b92a0256ced0778c1892e4f7457679e9dcf626db
- SHA256
  
  4023f16ab570c96bbfc7d6c9685d137382c82029c15df71696acdc20023dd31b
- SHA512
  
  529cf1b995f99cfaf439f10cba7def41bf72f6290f107558511988acfdfde9c68f6f5cfb96b329abf99066b30e64a48b0698a014a388233103f4003285a3604b
- SSDEEP
  
  12288:mQTPphPpFk6TzS+rlapC/BdEZaPe/jS/9JZZDnWlnlDlDkSI6UWeK4:rhPpF+elU6BdYu1JrWllxkl6P
Score

10^/10

formbook bs03 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbs03discoveryexecutionratspywarestealertrojan

behavioral2

formbookbs03discoveryexecutionratspywarestealertrojan