formbook | 7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71 | Triage

Submit
Reports

Overview

overview

Static

static

3

PO - 04755 .bat.exe

windows7-x64

PO - 04755 .bat.exe

windows10-2004-x64

Sharing

General

Target

PO - 04755 .bat.exe
Size

541KB
Sample

240701-p2zrkssela
MD5

37f3b2a7f84422ea9fce13bcc170461b
SHA1

b2d8ac2774b12ffc4412435224398f3909bc8ceb
SHA256

7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
SHA512

604aeeaf52c3aaab4e1a46ec2879d7b8e6f68ce0168e2f7ffc4f970b1633a2752959816bde10bbe19946a0ae7a2e9d373979554729fc7ed9366e1c5516b6639a
SSDEEP

12288:YEuIQ8LBZ0BJxONHZZZxa3qBHkKbdUKSaEpkAE5YWOzxRwzPE58bm:XlXBWDxOpxk3qBHkcWgEppEWzxRw458K

Score

10^/10

formbook 45er execution rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

PO - 04755 .bat.exe

Resource

win7-20240419-en

formbook 45er execution rat spyware stealer trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

PO - 04755 .bat.exe

Resource

win10v2004-20240508-en

formbook 45er execution rat spyware stealer trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

7140k.vip

appmonster.live

rvrentalsusane.com

berry-hut.com

h-m-32.com

aklnk.xyz

project.fail

thelbacollection.com

ternkm.com

331022.xyz

qhr86.com

casvivip.com

f661dsa-dsf564a.biz

holisticfox.com

taobaoo03.com

kursy-parikmaher.store

reignscents.com

wot4x4.com

axoloterosa.com

instzn.site

nn477.xyz

jwsalestx.com

cualuoinuhoang.com

sagehrsuiteindercloud.solutions

2ecxab.vip

lottery99nft.xyz

budakbetingbet43.click

plaay.live

drmediapulsehub.com

bahismax.com

clareleeuwinclark.com

clarimix.com

ssongg11913.cfd

shapoorji-kingstown.com

detoxifysupplements.info

easy100ksidegig.com

abramovatata.online

barillonfo.net

keendeed.com

yunosave.online

pptv05.xyz

malianbeini.net

polariscicuit.com

sahibindencomparamguvend.link

used-cars-99583.bond

Targets

- Target
  
  PO - 04755 .bat.exe
- Size
  
  541KB
- MD5
  
  37f3b2a7f84422ea9fce13bcc170461b
- SHA1
  
  b2d8ac2774b12ffc4412435224398f3909bc8ceb
- SHA256
  
  7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
- SHA512
  
  604aeeaf52c3aaab4e1a46ec2879d7b8e6f68ce0168e2f7ffc4f970b1633a2752959816bde10bbe19946a0ae7a2e9d373979554729fc7ed9366e1c5516b6639a
- SSDEEP
  
  12288:YEuIQ8LBZ0BJxONHZZZxa3qBHkKbdUKSaEpkAE5YWOzxRwzPE58bm:XlXBWDxOpxk3qBHkcWgEppEWzxRw458K
Score

10^/10

formbook 45er execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbook45erexecutionratspywarestealertrojan

behavioral2

formbook45erexecutionratspywarestealertrojan

© 2018-2024

Terms | Privacy