formbook | d281b712bf3960b42fc0e9d0997fbbc545f1113f1097dc87b91712bb5ecd4df5 | Triage

Sharing

General

Target

Quotation.exe
Size

730KB
Sample

240813-q6fd6s1hrr
MD5

4453dca26766035d9432ecee51eef94c
SHA1

af7c6e9ab2aecb58faf64fec05ab45f239dcbea3
SHA256

d281b712bf3960b42fc0e9d0997fbbc545f1113f1097dc87b91712bb5ecd4df5
SHA512

de8524b419b23e6971abda6a0d172930a0264374e05a207ed450c26bb0537c01958b349de7fd37ea7a475f1cdca15a95fea458f7d80c4e063992c4bfd17ad9bc
SSDEEP

12288:hbdGxhDy6BPUtdOIpuurJSs0XsVc2ZiM5Re+CkDSqDbX0e/fYq6jwQhz:hbduNW/OmuOcs08h1vnCkDdbB/Qqm

Score

10^/10

formbook h209 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h209

Decoy

sbtstuff.site

omlyes.com

movershifting.com

gearballer.com

oketoto.pro

myringleader.com

lrcjc750s.xyz

ata2024.xyz

password-manager-89409.bond

aiassistanthub.net

changvolt.cfd

netino.site

wear-wale.com

omnipresenceagency.com

huangguan.ooo

propersonnelmedia.com

9332952.com

k3s.support

ciytrw.xyz

cb095.pro

Targets

- Target
  
  Quotation.exe
- Size
  
  730KB
- MD5
  
  4453dca26766035d9432ecee51eef94c
- SHA1
  
  af7c6e9ab2aecb58faf64fec05ab45f239dcbea3
- SHA256
  
  d281b712bf3960b42fc0e9d0997fbbc545f1113f1097dc87b91712bb5ecd4df5
- SHA512
  
  de8524b419b23e6971abda6a0d172930a0264374e05a207ed450c26bb0537c01958b349de7fd37ea7a475f1cdca15a95fea458f7d80c4e063992c4bfd17ad9bc
- SSDEEP
  
  12288:hbdGxhDy6BPUtdOIpuurJSs0XsVc2ZiM5Re+CkDSqDbX0e/fYq6jwQhz:hbduNW/OmuOcs08h1vnCkDdbB/Qqm
Score

10^/10

formbook h209 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookh209discoveryexecutionratspywarestealertrojan

behavioral2

formbookh209discoveryexecutionratspywarestealertrojan