formbook | 89c2137b3dec9c0698bb3980b98eda725224bc28c54fa8159d71f580be48800a | Triage

Sharing

General

Target

Wire Transfer Copy-006566.lzh
Size

583KB
Sample

240829-kr78rasflh
MD5

578c8a0ffec06b2a50efd37cabc57e59
SHA1

7c2329d816c3c3639a3cb61b0e83d4f1c09bd602
SHA256

89c2137b3dec9c0698bb3980b98eda725224bc28c54fa8159d71f580be48800a
SHA512

82f8c6bef24288a0bab8ff72b9b8396c20c0b882c58da18bb80c23e4e78112d7ac007b79bdd5770d139f327901ffce056297d372d694244c2ddd37dc9cd90f09
SSDEEP

12288:ZJLjDNKTbpOV5INKjnac2hIgvlKTMiKG5fA1I1xOkn6P5EnBdqH:ZFjDNypOQMbac2UjPjOQFBda

Score

10^/10

formbook m49z discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m49z

Decoy

ormswarm.xyz

awn-care-63587.bond

uymetanail5.online

mergencyloan007.xyz

545.top

eiliao596.pro

ackersandmoverschennai.net

ehdiahmadvandmusicbest.click

tlgxmb2024.cloud

ulfcoastharborhopper.pro

rohns-disease-early-signs.today

oldenhorizonsbgcl.click

weetindulgencepro.xyz

yexoiup.xyz

yself-solar.net

kfirsatimla.online

bropub3.online

ouljourney.online

usvf76f.shop

onnaberich.online

Targets

- Target
  
  Wire Transfer Copy-006566.bat
- Size
  
  620KB
- MD5
  
  196e5396decbd8a8c4fbad95879b8a80
- SHA1
  
  e38084937ff988d95cb1d0ecc94d1c3bff6c419a
- SHA256
  
  ccbabb104efcbd684a891982f957df4f45ea42323f3e2c26c3ffd6816f0832bd
- SHA512
  
  9411c95a1500ecb01b10f4ee7cb3f0135f376d8f7f2c70e69506d1685fd16aea1468d56465ae60cf6593c8717bab68229cb7d4341535abd7a3c0db9b4e84dc1c
- SSDEEP
  
  12288:nVVRCY4DZ8fazulqCgPAq1FE31PfzHXefLT3kR:7RCY4d80Iq1A1HzH0y
Score

10^/10

formbook m49z discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookm49zdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookm49zdiscoveryexecutionratspywarestealertrojan