formbook | bb769a3695065424b9a59287afad563f07f71b9a1f00973f27cff1f00121b84b | Triage

Sharing

Copy URL Twitter E-mail

General

Target

HSBC Payment Advice.img.zip
Size

697KB
Sample

240611-rq3efazhqj
MD5

579d2040975ee53c65f369ac288937ca
SHA1

cc6ac9c922d21b2bd25cb4166b3e9c239f518297
SHA256

bb769a3695065424b9a59287afad563f07f71b9a1f00973f27cff1f00121b84b
SHA512

dae20976e013ee73b584d1b9614fd8458d4bdf3d9f70787cf0a88d17dea7e6457351cea947b86a2f5c0ebc51a41c1e35eb28dc1f5b414e6b79863762774107ba
SSDEEP

12288:c/dA+AFHV9tImib3dlsvnJIMFw6IdWdnpoIBqGRAvqv22uRIZyG4kQqZWw:NvtIX3dy926IAdnpozoIqv2qsqD

Score

10^/10

formbook mw62 execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mw62

Decoy

abpdainik.in

luxuryprojectmalad.co.in

cajunbellebeauty.com

fpmfstudios.com

spedyz.shop

wilddogphotographics.com

apollomoda1.com

evrimciftciportfolio.com

99977bet.com

inefavel.com

mf85.com

online-doctor-nl-1.bond

zqi2lv.vip

thewebdesignhub.co

botwitter.com

18comic-palwoeld.club

loveweldpermanentjewelry.com

l3er39pc-gaywn6kv-d7fs4t7u.cc

31yoyogamestudio.com

yhvh.cloud

Targets

- Target
  
  HSBC Payment Advice.img.exe
- Size
  
  720KB
- MD5
  
  271c1d8e6411be19170021ce4a896359
- SHA1
  
  0948954a5aba126505fce12b4336f3f02ed14f5b
- SHA256
  
  0effded7966d1959e7451e0a68256df8eb5c320e9721b3f4b5e2d7aace8792cf
- SHA512
  
  d2f887b96644707aa2e453e263f2b6ec0844801a483ad0888f2c3c6d83db01a2f3bb4ebb97ea2fa0ad8c9faa005d5aaca81c24b94ef253677cb3e50517a39f29
- SSDEEP
  
  12288:00XyD3HH3DI+F0dlaflXIcF4kc+4IXQtYJvUKOzC3KyAxWkR:ZXyjH3DIPdMzak14Ig6JvUKMPywN
Score

10^/10

formbook mw62 execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookmw62executionratspywarestealertrojan

behavioral2

formbookmw62executionratspywarestealertrojan