formbook | e9cb8b8b4e7031316ce1af73a31f3f5541c4776b9f0e7c7e23da465099348238 | Triage

Sharing

General

Target

e9cb8b8b4e7031316ce1af73a31f3f5541c4776b9f0e7c7e23da465099348238
Size

582KB
Sample

250327-h18vjayth1
MD5

6859fd1cdb192f63922e58e085a43c74
SHA1

cdf8b03d8c916bc3a5ec0fe918cc74017e4fee20
SHA256

e9cb8b8b4e7031316ce1af73a31f3f5541c4776b9f0e7c7e23da465099348238
SHA512

8aa8cf4aadfb6082ee895fdb924befc04c700562368c2ce6d3b143c55b7a99c8b213cbfa67d5f91928a9b4aff6a5639f7284a24b3ecab7860f1a76f39eb9810f
SSDEEP

12288:jB2dZaBIkApkkXYZ063t6I/LLOcGqZrk04cgQTCqJ25U:jBQEA2kAEIjKaktcbP25U

Score

10^/10

formbook a03d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a03d

Decoy

nfluencer-marketing-13524.bond

cebepu.info

lphatechblog.xyz

haoyun.website

itiz.xyz

orld-visa-center.online

si.art

alata.xyz

mmarketing.xyz

elnqdjc.shop

ensentoto.cloud

voyagu.info

onvert.today

1fuli9902.shop

otelhafnia.info

rumpchiefofstaff.store

urvivalflashlights.shop

0090.pizza

ings-hu-13.today

oliticalpatriot.net

Targets

- Target
  
  QUOTATION REQUEST 27-03.exe
- Size
  
  696KB
- MD5
  
  fed1cdaddb684b6463f6642572d2d713
- SHA1
  
  0a174c3386b5a37730fe291c3ae333ebdda7d2e1
- SHA256
  
  efc8dba0e301b455b4691c60bf363ce60bc0b44921a2018ce2c1a684df8d26b9
- SHA512
  
  5ef0f158a93fca0685b41eccce2bb40570d74fb82c36e88bc8b11832d360417af855e79caccfab808d5c0c76e8f40f34367e8aa8e50f8846f37c0455a5aaf7f6
- SSDEEP
  
  12288:tN89fTedLZaxIkApSkXYZ0oVjA9T6BBYvkViOmvRSNI8piNnD9aefD:b89fsLKA0kR5zvkVlmvQNIfMer
Score

10^/10

formbook a03d discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooka03ddiscoveryexecutionratspywarestealertrojan

behavioral2

formbooka03ddiscoveryexecutionratspywarestealertrojan