formbook | 438b4a7fd44c48ebaa0ef1e7368b7d344de8040ed247e77b5c84ebe0c2592629 | Triage

Sharing

General

Target

438b4a7fd44c48ebaa0ef1e7368b7d344de8040ed247e77b5c84ebe0c2592629
Size

620KB
Sample

240823-es6tesxbqq
MD5

73c559a812d34be3ec0207353de5ecd4
SHA1

cb3e94f2aa55bb49494cc54ab5e774529b0a99ba
SHA256

438b4a7fd44c48ebaa0ef1e7368b7d344de8040ed247e77b5c84ebe0c2592629
SHA512

378f4ed2c195f233ac2d3211e2134cb8d003cc2a6451c59bdfd82864109d438366a6a47588ac1fe1870eddfa849a288a77e3d5cb543c6f7b1568006c9a597852
SSDEEP

12288:hVv0udtVGpumjGAes20Eo/xBPuSQ/ygG56pQew9usstZMubAkv++KQBYRjq:hVNvVIBxeYEULkyrk9Xt6hkv4hNq

Score

10^/10

formbook rn10 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rn10

Decoy

kedai168et.com

mental-olympics.com

pussybuildsstrongbones.net

857691.shop

hisellers.net

exposurecophotography.com

beaded-boutique.net

wednesdayholdings.com

plesacv.xyz

manonlineros.com

a0204.shop

333689g.com

dyprl716h.xyz

pulseirabet.com

fnet.work

bo-2024-001-v1-d1.xyz

ongaurdsecurity.com

giulianacristini.com

miladamani.com

magicalrealmshopkeeper.online

Targets

- Target
  
  image_00yu.exe
- Size
  
  684KB
- MD5
  
  5b671e65052b9fe3672bf5671193a415
- SHA1
  
  42e2cbed170357699d64541d458ee4bab1c9e04d
- SHA256
  
  8b4af4f4e4ff7945788cfd890de28517157ebbd54b28561b02eaa4774a8c6573
- SHA512
  
  008225e7dcb3a9241c465a7f356c003758004392b3fc5aa777151ccd34c4fd602bad6f839416af9bb0960a2d08588c6b80ac375499b07c1f05229a256a758f14
- SSDEEP
  
  12288:v2xu/Zx7GpuKjGAes2CEo1xBPuE8/ygGt6pQeI9usAtZGobkkN++KQ/YRjIkR:eQ/7I3xeuEQLcyrQ99tAxkN45Nf
Score

10^/10

formbook rn10 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookrn10discoveryexecutionratspywarestealertrojan

behavioral2

formbookrn10discoveryexecutionratspywarestealertrojan