formbook | 09f80e5b22639c198be1ef13793c7a0ade764ed89b20a0f09ab0830f3d77eaef | Triage

Sharing

General

Target

09f80e5b22639c198be1ef13793c7a0ade764ed89b20a0f09ab0830f3d77eaef.exe
Size

608KB
Sample

240802-n9bjaawfrp
MD5

087a92aaf0a59bf4f54fafaae7b6a027
SHA1

a00135a4131ee743347f0ca3b3ac14427d008360
SHA256

09f80e5b22639c198be1ef13793c7a0ade764ed89b20a0f09ab0830f3d77eaef
SHA512

3647d3c39bf93e5d6b429392296e469218d855e41894545a91fd51a5dbae5830784506a4c224e106824131e312c47944cf07b23b594d6de5e0b5eabec5cf5d1f
SSDEEP

12288:VV8wtNDc2pZ/Mrr8ya2DG/ARyQg5f5Yk/Z3qOoUD6QA:fFcmZErIZ0zg59R3qNAl

Score

10^/10

formbook as89 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

as89

Decoy

followcb.site

salutemanagement.com

shishiganggang.com

vanthuhay.xyz

nujekos.info

duckylucknodepositbonus.icu

ilemuelgroup.com

healnap.com

rezekitoto41.com

magicians-amino.click

fqr4dh.club

00050153.xyz

touchless-scoreboard.com

journaganstruevalue.com

connectingconcepts.biz

winraja88.com

mezcantina.com

cosmosfashions.com

dltholdingsandinvestments.com

vonlineb.com

Targets

- Target
  
  09f80e5b22639c198be1ef13793c7a0ade764ed89b20a0f09ab0830f3d77eaef.exe
- Size
  
  608KB
- MD5
  
  087a92aaf0a59bf4f54fafaae7b6a027
- SHA1
  
  a00135a4131ee743347f0ca3b3ac14427d008360
- SHA256
  
  09f80e5b22639c198be1ef13793c7a0ade764ed89b20a0f09ab0830f3d77eaef
- SHA512
  
  3647d3c39bf93e5d6b429392296e469218d855e41894545a91fd51a5dbae5830784506a4c224e106824131e312c47944cf07b23b594d6de5e0b5eabec5cf5d1f
- SSDEEP
  
  12288:VV8wtNDc2pZ/Mrr8ya2DG/ARyQg5f5Yk/Z3qOoUD6QA:fFcmZErIZ0zg59R3qNAl
Score

10^/10

formbook as89 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookas89discoveryexecutionratspywarestealertrojan

behavioral2

formbookas89discoveryexecutionratspywarestealertrojan