formbook | 4efa0c0ddb802a05161342bb22941fb5e45fdb423a0455995b9642d238a0dcb3 | Triage

Sharing

General

Target

4efa0c0ddb802a05161342bb22941fb5e45fdb423a0455995b9642d238a0dcb3
Size

537KB
Sample

240912-qblbyawdpk
MD5

1fc3514ff34a401d23b6d2276d55bd54
SHA1

6173117802b17f28734057ae931ae865c7faf43e
SHA256

4efa0c0ddb802a05161342bb22941fb5e45fdb423a0455995b9642d238a0dcb3
SHA512

7ca8e5a460686d403f76b7c092b6a7657404dfa65e45ea98fee4bbc9660f7c249e7db0d4a5d59da8f2fb3d82d3db397fb509886b45d78fcf8917efcae1374afc
SSDEEP

12288:6OcnVHeZr6sMFTVJQzsUhjuI3RuYr/V4ZhHHfvrRj6EcfaKJox6o:aHeZrnKVqsMRuYrqJ91cfaAs6o

Score

10^/10

formbook sx01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sx01

Decoy

r-salessolutions.xyz

jdh1.info

olar-panel-jobs-93084.bond

aebrasil.shop

oshua-xaaaa.buzz

xzkm.shop

nitedviplumbing.net

nnevateknoloji.xyz

rg-a.biz

indow-replacement-34091.bond

uyersagent3percent.net

ostbag.net

ibosolv.net

ahve.today

ophotshotjobs.today

emoreez.art

ift-chairs-94905.bond

okerdom-e.best

stagr.fun

irtyf-ingrancher.info

Targets

- Target
  
  Cf2vVo7XyxupqsL.exe
- Size
  
  587KB
- MD5
  
  0e4215aade422aeb64ff45d5712adc7e
- SHA1
  
  66303d555188ba6124021b09b3291b1326090ccf
- SHA256
  
  030d40369b21914a62ecd144abafc689073ac077c5481e4722154e2a565bc328
- SHA512
  
  89dfec073a28109fb96da6a0d1a82d520047d3f06a852757b9bb35f15283c7d746060f500969a9474a0fe0d4af8cd2515eedd8167950ef69cd0ee704a8509fd5
- SSDEEP
  
  12288:X3OSUWtbmf6juFEqopZXMg3xhEejaI3huYrDV+Zh1u8Djx8kWK2XH:uS3O6jVzMwE0huYr4+8DibK2
Score

10^/10

formbook sx01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooksx01discoveryexecutionratspywarestealertrojan

behavioral2

formbooksx01discoveryexecutionratspywarestealertrojan