formbook | ab178721c79dcba37cf1979de6f85c6b3531371b8492749970d91773a505949a | Triage

Sharing

General

Target

ab178721c79dcba37cf1979de6f85c6b3531371b8492749970d91773a505949a.exe
Size

627KB
Sample

240903-cqynxsvaln
MD5

ef494e2d8600338e6c4abb514a6f2fdb
SHA1

8864364fb585590e5cddc1356d44ce1ba731dbff
SHA256

ab178721c79dcba37cf1979de6f85c6b3531371b8492749970d91773a505949a
SHA512

b8fb64d569e1066c794567641ad28052a3684358f9faf14e393406057811f0654670687a2e702e67dae6ed8cb4000c5c16a8e42af940c9de2b9d33adafd1ce1e
SSDEEP

12288:j0R/Uv8Ua4u1oV2KCe/bldkNzOzmXYu5dq1TEpT:j0R8EUa41FMkzEdq1Ip

Score

10^/10

formbook h209 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h209

Decoy

sbtstuff.site

omlyes.com

movershifting.com

gearballer.com

oketoto.pro

myringleader.com

lrcjc750s.xyz

ata2024.xyz

password-manager-89409.bond

aiassistanthub.net

changvolt.cfd

netino.site

wear-wale.com

omnipresenceagency.com

huangguan.ooo

propersonnelmedia.com

9332952.com

k3s.support

ciytrw.xyz

cb095.pro

Targets

- Target
  
  ab178721c79dcba37cf1979de6f85c6b3531371b8492749970d91773a505949a.exe
- Size
  
  627KB
- MD5
  
  ef494e2d8600338e6c4abb514a6f2fdb
- SHA1
  
  8864364fb585590e5cddc1356d44ce1ba731dbff
- SHA256
  
  ab178721c79dcba37cf1979de6f85c6b3531371b8492749970d91773a505949a
- SHA512
  
  b8fb64d569e1066c794567641ad28052a3684358f9faf14e393406057811f0654670687a2e702e67dae6ed8cb4000c5c16a8e42af940c9de2b9d33adafd1ce1e
- SSDEEP
  
  12288:j0R/Uv8Ua4u1oV2KCe/bldkNzOzmXYu5dq1TEpT:j0R8EUa41FMkzEdq1Ip
Score

10^/10

formbook h209 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookh209discoveryexecutionratspywarestealertrojan

behavioral2

formbookh209discoveryexecutionratspywarestealertrojan