formbook | 8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f | Triage

Sharing

General

Target

SecuriteInfo.com.Win32.CrypterX-gen.29279.29610.exe
Size

695KB
Sample

240902-ewybfssdra
MD5

0fa31cdedfad8f0dd2a1b1b6c0f1b957
SHA1

91148974cf0d66aaac1648b64404b9c24d141d3c
SHA256

8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f
SHA512

f78905dd816c7f3f34ee5f2c3fcfad21383dbe58652fe475a13900b39482a2c6b14f1ab114d34a0f5e281aa325d676333d5fc1d8c55bcef25983a1aa5ce4b6e9
SSDEEP

12288:9GZKzvNUOBKYvI8hGayiRMhBcRiPNWZIBRR4LPJiyIA/ZMDPwffC0UNj6eWf1yrw:AOOyGPiRMhBciPHrRqJiyIZPwffC00O5

Score

10^/10

formbook m49z discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m49z

Decoy

ormswarm.xyz

awn-care-63587.bond

uymetanail5.online

mergencyloan007.xyz

545.top

eiliao596.pro

ackersandmoverschennai.net

ehdiahmadvandmusicbest.click

tlgxmb2024.cloud

ulfcoastharborhopper.pro

rohns-disease-early-signs.today

oldenhorizonsbgcl.click

weetindulgencepro.xyz

yexoiup.xyz

yself-solar.net

kfirsatimla.online

bropub3.online

ouljourney.online

usvf76f.shop

onnaberich.online

Targets

- Target
  
  SecuriteInfo.com.Win32.CrypterX-gen.29279.29610.exe
- Size
  
  695KB
- MD5
  
  0fa31cdedfad8f0dd2a1b1b6c0f1b957
- SHA1
  
  91148974cf0d66aaac1648b64404b9c24d141d3c
- SHA256
  
  8140718075fb3cf55e098f68fa8dfc75022a22fb658611503880b4c0c674d71f
- SHA512
  
  f78905dd816c7f3f34ee5f2c3fcfad21383dbe58652fe475a13900b39482a2c6b14f1ab114d34a0f5e281aa325d676333d5fc1d8c55bcef25983a1aa5ce4b6e9
- SSDEEP
  
  12288:9GZKzvNUOBKYvI8hGayiRMhBcRiPNWZIBRR4LPJiyIA/ZMDPwffC0UNj6eWf1yrw:AOOyGPiRMhBciPHrRqJiyIZPwffC00O5
Score

10^/10

formbook m49z discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookm49zdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookm49zdiscoveryexecutionratspywarestealertrojan