formbook | df76258f5a92817111c47c370f40806f0e913fe8a8f05dc84a8a3f5e5c8464eb | Triage

Sharing

General

Target

df76258f5a92817111c47c370f40806f0e913fe8a8f05dc84a8a3f5e5c8464eb.exe
Size

588KB
Sample

250327-qnlhgasvhv
MD5

d57f189db1e00f4bc3bf0697023c763d
SHA1

c0696cd65511957e04e61b79206e3e642e5a8992
SHA256

df76258f5a92817111c47c370f40806f0e913fe8a8f05dc84a8a3f5e5c8464eb
SHA512

85ca18aba5034317aa2f9aac413275175b59948456d50b99234422638668d2c26c553067f757aa3955bd586c04f7e75bb5ae537d6094eb70c3ef8f1db56e49ab
SSDEEP

12288:48XLCsp4ppptlpMkQ28GKkpeGHO8FG0tF5RlCgnKl0kEVjun+BciO4d0N+2FSV:/XLCsO7ptS/kpeq+0FLCrVEVju+BciOc

Score

10^/10

formbook bs03 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bs03

Decoy

aindirectiveteam.info

itchen-remodeling-up.world

avadacasino21.buzz

urumsbicard.net

ental-care-2762127.fyi

raveline.tech

camtech.online

leartec.health

odkacasino-333.buzz

oans-credits-73480.bond

ubstrate360.xyz

dalang.click

on66my.xyz

elegilgh.run

wlf.dev

ex-in-wien.net

riminal-mischief.cfd

0ns.pro

klopcy.xyz

ssetexcelstrongmanageroot.xyz

Targets

- Target
  
  df76258f5a92817111c47c370f40806f0e913fe8a8f05dc84a8a3f5e5c8464eb.exe
- Size
  
  588KB
- MD5
  
  d57f189db1e00f4bc3bf0697023c763d
- SHA1
  
  c0696cd65511957e04e61b79206e3e642e5a8992
- SHA256
  
  df76258f5a92817111c47c370f40806f0e913fe8a8f05dc84a8a3f5e5c8464eb
- SHA512
  
  85ca18aba5034317aa2f9aac413275175b59948456d50b99234422638668d2c26c553067f757aa3955bd586c04f7e75bb5ae537d6094eb70c3ef8f1db56e49ab
- SSDEEP
  
  12288:48XLCsp4ppptlpMkQ28GKkpeGHO8FG0tF5RlCgnKl0kEVjun+BciO4d0N+2FSV:/XLCsO7ptS/kpeq+0FLCrVEVju+BciOc
Score

10^/10

formbook bs03 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbs03discoveryexecutionratspywarestealertrojan

behavioral2

formbookbs03discoveryexecutionratspywarestealertrojan