formbook | 0eaed36cd55d9f368c68e37ca4f22e6504dcd035374214b5841a4cc7fc85229f | Triage

Sharing

General

Target

22052024_1252_22052024_Swift_FCP240522532.PDF.zip
Size

499KB
Sample

240522-p4ejescb3y
MD5

7186e5f344dd2f9877e16b404db416a5
SHA1

6d5c7eea5e3f4a64a1a6c3b7194a3037dd7d5463
SHA256

0eaed36cd55d9f368c68e37ca4f22e6504dcd035374214b5841a4cc7fc85229f
SHA512

7acdc20e2ee126151fe72acd9031cdb1ad83d37bd2059669b6d9810d5d6d994d408a2ff2d23f100132cd9ab9a7f61cb265bd69250d196421565b65ac4287d9fd
SSDEEP

12288:8gbELUh0WgZbs0CYYRegv/M1Kx5BPKYcbzvepe:8jQqWgB5yj01I5BPKvbrH

Score

10^/10

formbook lokibot dn03 collection execution rat spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://45.61.137.215/index.php/3b1tenbkyj

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Version

4.1

Campaign

dn03

Decoy

almouranipainting.com

cataloguia.shop

zaparielectric.com

whcqsc.com

ioco.in

aduredmond.com

vavada611a.fun

humtivers.com

jewellerytml.com

mcapitalparticipacoes.com

inhlcq.shop

solanamall.xyz

moviepropgroup.com

thegenesis.ltd

cyberxdefend.com

skinbykoco.com

entermintlead.com

honestaireviews.com

wyclhj7gqfustzp.buzz

w937xb.com

Targets

- Target
  
  Swift_FCP240522532.PDF.exe
- Size
  
  524KB
- MD5
  
  3911e099bed114b7417378e2dbe079d1
- SHA1
  
  00fea996bbff2b686a0b3e275d536babacefc0af
- SHA256
  
  e9e09c2f8031763a0c8494d500bd28ca3adc87d5f700111255db99f8142f2933
- SHA512
  
  55630fbf32fb702185fbc3f6adee9f5775e6e91c0c1bf9e448d7506ebed15852970946d856d9dd399f0b12da3f0a97a05c6c2803a4546e8a034e8f89eeb3694b
- SSDEEP
  
  12288:7EELYhiWgZlgyCGYRe6v/M1Kx5pPKYcfzvw:oEskWgDDyb01I5pPKvfr
Score

10^/10

lokibot collection execution spyware stealer trojan formbook dn03 rat
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

lokibotcollectionexecutionspywarestealertrojan

behavioral2

formbooklokibotdn03collectionexecutionratspywarestealertrojan