formbook | 42f58dc6b62c332904fe40b03e17aa5b26fae434ec762b00593b55bd34eb05fe | Triage

Sharing

General

Target

13092024_0348_12092024_fattura proforma pdf.exe.xz
Size

918KB
Sample

240913-ec6tgstapa
MD5

c26770ce6dd4e6dd2bf57df5ad9c5605
SHA1

b55cfa9892cf0abad55ca5f7e45aab9d61096020
SHA256

42f58dc6b62c332904fe40b03e17aa5b26fae434ec762b00593b55bd34eb05fe
SHA512

8dddc621c81638999b20b49a85f8cf8f8af526c728c0c29abe3f0de7bfd54776ba83632ec1213eeb5cde335bd98b1fc5892ff807b21fefa9658c69ea5d7ca141
SSDEEP

24576:jnR24sPnUiQF3T3tQ3I0k91CGhH0GvSBnM4LsfGAE6re:Y4sPnpg3rq3Idnx0UEM447Eye

Score

10^/10

formbook kmge credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

- Target
  
  13092024_0348_12092024_fattura proforma pdf.exe
- Size
  
  2.1MB
- MD5
  
  8e23f17a28191c04596391464d43870c
- SHA1
  
  91e7b1e075aaf6ad3ce2fea102d4a31dea2e446e
- SHA256
  
  0e4890952f2506c3cd0124d53fa0c39f2cdaf432c2be5f3ac6257793013e618b
- SHA512
  
  bf9e5cee8ae9f612e3204d8343cdf11998b304673c7ecae1682de999b55d58b5632e2bff8b9893c284c1fa9cd1da618e9c3e0033214319bf1dda91b0a8f6211f
- SSDEEP
  
  49152:xfDe+fmH7RRZ1UW84VCyH+4FAGqnx+lg3jszH8u1BbSCg3E16su:xfDQQsNJT16su
Score

10^/10

formbook kmge credential_access discovery execution persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookkmgecredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

behavioral2

formbookkmgecredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan