formbook

General

Target

3115e8e35e1156ac76de62594f9cd356
Size

1.6MB
Sample

220920-t671zadgg7
MD5

3115e8e35e1156ac76de62594f9cd356
SHA1

0f435afcc129ffe9b81c6642a1b5207715a6d4ab
SHA256

45e37a81a6154bd459fc44140874e5f88edbd2337ecd9dec0d26e1e5748e23c1
SHA512

20a326ace058ada5a84179f3796a2f365348e61bddd9ccaa67c2f6ea629a8bda0e05596b55c3f044fb11c474a8218e26481172c35cf332f07ad2bf3e88abff52
SSDEEP

24576:oAOFy+FYtlzBzsTULSQJwEUx1GI79wVT37ZtDrzITYLTpI2wnuzCzxfl8Wo/h6hp:oDFQtbsw2XmtF3lpiGTW5nuBbo

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh76

Decoy

healthgovcalottery.net

wenxinliao.com

rooterphd.com

bbobbo.one

american-mes-de-dezembro.xyz

mintager.com

thespecialtstore.com

wemakegreenhomes.com

occurandmental.xyz

fidelityrealtytitle.com

numerisat.asia

wearestallions.com

supxl.com

rajacumi.com

renaziv.online

blixtindustries.com

fjljq.com

exploretrivenicamping.com

authenticusspa.com

uucloud.press

Targets

- Target
  
  ADASU AKU-GIB2022.exe
- Size
  
  1.3MB
- MD5
  
  e124339f08506d6b5bab4d071784a65e
- SHA1
  
  bcac9d8f2919ed3e57ad78f4a5c999b3b9faf88f
- SHA256
  
  8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201
- SHA512
  
  0d8c3949cd7cdd07264398dbf9a6224c6ab40af0ee81d1936bb2a436f25981309958f5f9c405ad5553890cf94dd7f55667a07b44336ffefbc90c0127e8825df9
- SSDEEP
  
  24576:rAOcZ8hI77JrtcZ2iYLwHQciT79xUkjPV99npuezy71oporahX:ta79pcZ2iM+QHTjUkj9fZe6Gc
Score

10^/10

formbook mh76 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2