formbook | c3825d126fba5b9662997439e5f20da9fede82e4902172c86632299f7e512d74 | Triage

Sharing

General

Target

c3825d126fba5b9662997439e5f20da9fede82e4902172c86632299f7e512d74
Size

593KB
Sample

250328-nbhvpsxjy3
MD5

40d0a7985e3d570bb6cc44da3d2f851a
SHA1

2224b17a9af2cf94c70a2edfc5bbc4eb247a2bf1
SHA256

c3825d126fba5b9662997439e5f20da9fede82e4902172c86632299f7e512d74
SHA512

4be3f1291600eaa1ae690668608292c6012e949866ff085a96a4d1408294c739327c6f50febed10859853bda0831f836101b3a20452c48bf0769fc73a60b879c
SSDEEP

12288:1FEZdHysnxsSLVKc0QwFN7f2MWxg69Mx6IzrbLV98s6:1F6dy6xs0VR0QwNVf69Q/A

Score

10^/10

formbook a03d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a03d

Decoy

nfluencer-marketing-13524.bond

cebepu.info

lphatechblog.xyz

haoyun.website

itiz.xyz

orld-visa-center.online

si.art

alata.xyz

mmarketing.xyz

elnqdjc.shop

ensentoto.cloud

voyagu.info

onvert.today

1fuli9902.shop

otelhafnia.info

rumpchiefofstaff.store

urvivalflashlights.shop

0090.pizza

ings-hu-13.today

oliticalpatriot.net

Targets

- Target
  
  Purchase Order #PO11774.exe
- Size
  
  640KB
- MD5
  
  e0d5a1d3be5203913a112da74dde9326
- SHA1
  
  9a0c4da5adc288a9921d0ef9103ed27da1e0464d
- SHA256
  
  a15006eb6ff449cff64e2df7ed41e85051eb25c0e179b14c9e04f7464ff69bb2
- SHA512
  
  44ee9fa209cfc9478bf79c97ea0cd1eaaa6e2301c7ee0228850c1136db3da247fa1902559241e0e726ef4e47d05387aee99c4319e1673b8ada500a4c0b8f1593
- SSDEEP
  
  12288:0eQiKaxzulQ0BXdLVymkQwF1712Me7g69MQyCjrED:1Qi5uxBXtVlkQw1jv699JoD
Score

10^/10

formbook a03d discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooka03ddiscoveryexecutionratspywarestealertrojan

behavioral2

formbooka03ddiscoveryexecutionratspywarestealertrojan