formbook | 1b9e77854e399411406c1f8e3fa6e0bceb4a1284c7bedeed503bcb24bdcfbe30 | Triage

Sharing

General

Target

CZyOWoN2hiszA6d.exe
Size

653KB
Sample

240805-hh37bstaje
MD5

4f9709aa08fb342403b4a9d952419184
SHA1

07913a57cfe7e1674525397f571ae98d3195a11c
SHA256

1b9e77854e399411406c1f8e3fa6e0bceb4a1284c7bedeed503bcb24bdcfbe30
SHA512

cde7fe3db0ee4fd1876e3b40601e4d9c81ae4b2fa525335d183c9d0314fde6eaaa5820303d3fd2eb0a008f09511c08967fe0ba00fea83c9dee8d98d80f513fe0
SSDEEP

12288:3Zxa/zmcDXmyLO609WOgt3MbOSJ6gAFss9ewhMBdULG503vdPlLVBkR:3ZxaakZb0wr3MRJ7U9ZMBYG503DLVc

Score

10^/10

formbook v15n discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

v15n

Decoy

dyahwoahjuk.store

toysstorm.com

y7rak9.com

2222233p6.shop

betbox2341.com

visualvarta.com

nijssenadventures.com

main-12.site

leng4d.net

kurainu.xyz

hatesa.xyz

culturamosaica.com

supermallify.store

gigboard.app

rxforgive.com

ameliestones.com

kapalwin.live

tier.credit

sobol-ksa.com

faredeal.online

Targets

- Target
  
  CZyOWoN2hiszA6d.exe
- Size
  
  653KB
- MD5
  
  4f9709aa08fb342403b4a9d952419184
- SHA1
  
  07913a57cfe7e1674525397f571ae98d3195a11c
- SHA256
  
  1b9e77854e399411406c1f8e3fa6e0bceb4a1284c7bedeed503bcb24bdcfbe30
- SHA512
  
  cde7fe3db0ee4fd1876e3b40601e4d9c81ae4b2fa525335d183c9d0314fde6eaaa5820303d3fd2eb0a008f09511c08967fe0ba00fea83c9dee8d98d80f513fe0
- SSDEEP
  
  12288:3Zxa/zmcDXmyLO609WOgt3MbOSJ6gAFss9ewhMBdULG503vdPlLVBkR:3ZxaakZb0wr3MRJ7U9ZMBYG503DLVc
Score

10^/10

formbook v15n discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookv15ndiscoveryexecutionratspywarestealertrojan

behavioral2

formbookv15ndiscoveryexecutionratspywarestealertrojan