formbook

General

Target

Copia_de_recibo..zip
Size

548KB
Sample

230419-qrjhaaag48
MD5

b7ccf47893ba1aca34d15d665edba058
SHA1

acf6f04d345339b213945bb5bb71ebaa9c9ed281
SHA256

f5ea7973c7a31b4586437988fdd34d9ab62b48b82cb4575e203d8251513f677e
SHA512

dbb7c2da94e1a23bdab3b3ca61049e58011609e890c796371e3f79e2c7c69e4b9a42f2afd850cab4c562718484f8ed3a6c0b5c61980ed436018d8b5d91e13db5
SSDEEP

12288:WyGdnItCZKQZosFWW0pb9R5ddPWlgAYo04terR6ajIc8bu:WyGFIEht0ho044Au

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pi31

Decoy

allieduniversalbenefiys.com

gzpzgy.com

djuhsd.net

jeanniesartshop.com

bigbadmemes.com

journeymancamping.com

gila.africa

kally888.com

autoonlineschool.ru

goldentrumpbucks8product.online

mobonews.africa

bag-business.com

haiaidq.com

bestdfshelp.com

articpanelsystemsamericainc.com

fifa8866.com

ausmobile.store

improvisedml.com

jewelerfreak.com

ehealthpublic.com

Targets

- Target
  
  Copia de recibo..exe
- Size
  
  635KB
- MD5
  
  016ab34913ed274e95e44c03dade1a26
- SHA1
  
  1f7308bebd668cdefba0267e89f2f746e0bd37b8
- SHA256
  
  778c03b86d13fe942456d5fb5e5a41e8fd395931279afc45262c25721f208dd7
- SHA512
  
  33f28193982d6f625d3a0329a75ee07b2154863dd87166ae2c42f4ac6491efc12f4cdcefe25a06a49c0b8e1cb408232212b6228bc650a7690f3cd477646b4960
- SSDEEP
  
  12288:qOnbqjcNWT4/CttcoGAc29F3Klv3R5R7P+lEAbC/53byTQK3kJi:qJ8WT40tcqpL3KL53byTQK3Q
Score

10^/10

formbook pi31 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2