formbook | 218aebb6a74aebc7633d14855dff3fb6e0dee2e5f36916e6bdc432373ff87b53 | Triage

Sharing

General

Target

218aebb6a74aebc7633d14855dff3fb6e0dee2e5f36916e6bdc432373ff87b53
Size

577KB
Sample

240910-r9cccszhpf
MD5

3bb56036b1599f05aedf65fd2eb6a4a8
SHA1

dc0f7b06c37cc1a993619978db8622b7e30d5a73
SHA256

218aebb6a74aebc7633d14855dff3fb6e0dee2e5f36916e6bdc432373ff87b53
SHA512

50f016b8f7036b9df7607ef0ffdabbf31dde89fdebc1e99496ded895c49d2748089dee3800ca7f8b06cafa295ee10b89e9f06c4dd3590a2bf1e2c336e1d7718e
SSDEEP

12288:4aHbe7mbjG1C6tx8MwlBnNIvn90Qi0+I8JbykcZHzKBzNuL:4+eL/8bZ80QNLmbPvBzNK

Score

10^/10

formbook sx01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sx01

Decoy

r-salessolutions.xyz

jdh1.info

olar-panel-jobs-93084.bond

aebrasil.shop

oshua-xaaaa.buzz

xzkm.shop

nitedviplumbing.net

nnevateknoloji.xyz

rg-a.biz

indow-replacement-34091.bond

uyersagent3percent.net

ostbag.net

ibosolv.net

ahve.today

ophotshotjobs.today

emoreez.art

ift-chairs-94905.bond

okerdom-e.best

stagr.fun

irtyf-ingrancher.info

Targets

- Target
  
  nmGdVmAxebb5aEP.exe
- Size
  
  729KB
- MD5
  
  8f2603c9822b7e98f2544b83f7ad6b55
- SHA1
  
  48f8dde1f2db0d50abcbbf0fe461791a51068ad5
- SHA256
  
  64a9613231cf8cca0624c38a480986b8ee7726390aeb3c662698fd9e156315ef
- SHA512
  
  0719d967f49bb27d11821662b2b78c39919929ea4a08aded80b2dd979ca74705e00b7f8c8444ccbf5fef56d413bb1253c61556bd7173cea18795078b10e394a9
- SSDEEP
  
  12288:QeiOX6A1n0YcGAOb6CMwlBvN2v9C++3YRxJ/GpBg2S:QeiJGnHAOb6CbZh3WxJ/
Score

10^/10

formbook sx01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooksx01discoveryexecutionratspywarestealertrojan

behavioral2

formbooksx01discoveryexecutionratspywarestealertrojan