formbook | f8075ee649626473c5452ffdc4330597d1988e8a22367162406c658af617e4de | Triage

Resubmissions

29/07/2024, 15:14

240729-sma2fsycrf 10

Sharing

General

Target

PAYMENT SLIP2.doc
Size

705KB
Sample

240729-sma2fsycrf
MD5

57f3a8024f22620c786a65d06583a3e9
SHA1

0a172545f65de6d7b0478fcda55b2c8d0bebe915
SHA256

f8075ee649626473c5452ffdc4330597d1988e8a22367162406c658af617e4de
SHA512

94b29ac4017509812eb47cb654cc00a06cd1232fe8ada550e91373276e2b540321b7e896213c88f05ed5b637af27aa5c604fdc0cdd62fcf2ef841f75847b38b3
SSDEEP

6144:n62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62Y:EUm5

Score

10^/10

formbook oi12 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oi12

Decoy

exobello.bio

boinga.xyz

animasriversurf.com

gamesflashg.com

hayatbagievleri.online

washington-living.com

july7.store

x-pod-technologies.com

farmhouseflaire.com

qb52aa.top

datasynthing.xyz

5v28n.rest

legacycommerceltd.com

mundodelosjuguetes.com

wjblades.com

z9b6g8.com

eskimotech.net

dreziuy.xyz

bestsolarcompanies.services

vertemisconsulting.com

Targets

- Target
  
  PAYMENT SLIP2.doc
- Size
  
  705KB
- MD5
  
  57f3a8024f22620c786a65d06583a3e9
- SHA1
  
  0a172545f65de6d7b0478fcda55b2c8d0bebe915
- SHA256
  
  f8075ee649626473c5452ffdc4330597d1988e8a22367162406c658af617e4de
- SHA512
  
  94b29ac4017509812eb47cb654cc00a06cd1232fe8ada550e91373276e2b540321b7e896213c88f05ed5b637af27aa5c604fdc0cdd62fcf2ef841f75847b38b3
- SSDEEP
  
  6144:n62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62W62Y:EUm5
Score

10^/10

formbook oi12 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookoi12discoveryexecutionratspywarestealertrojan

behavioral2