formbook | 0fa5bc9dee4c95c6fc9468aa5193eaba99fe766b28defce9e9878677b7c398bc | Triage

Sharing

General

Target

19092024_0050_18092024_PR2409-1513.pdf.rar
Size

581KB
Sample

240919-a6z6kssbnf
MD5

f028c276f5d4a51f35b8bb04c2c3ca44
SHA1

5f3cf4ad6f23b327ca230da29bccb17325372e43
SHA256

0fa5bc9dee4c95c6fc9468aa5193eaba99fe766b28defce9e9878677b7c398bc
SHA512

f5eaae5285275516b08cc224701fa9a23b6c8674f5dea1311844f05cfb5fceb9a7670813158bdf18b26652c87c79e8e3a6191dd3f0831cf3d259b8fd503ef99c
SSDEEP

12288:+e2/zcYtGolqYfpmGr5OfsYbbOrnEt9zd9Xh1dolQJsKVa7dvStXnLnRaN5HXsLu:+7hbpJM7KrnuXh3fJsxJqdE6cr

Score

10^/10

formbook m10i discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m10i

Decoy

rmani.today

ifebork.xyz

randovation.net

itchen-remodeling-65686.bond

himu.world

reverie.net

9038.top

rowahome.live

obility-scooters-63189.bond

iangchunqiu.top

yhd.fun

eniorsforseniors.biz

z9zs2.shop

kkjinni.buzz

22av373vu.autos

allnyy.fun

qst.digital

rcap.info

745.top

earfulabjectshirkwashclothe.cfd

Targets

- Target
  
  PR2409-1513.pdf.exe
- Size
  
  798KB
- MD5
  
  6873a4a84ed3bb7f4554d1b9cf960d60
- SHA1
  
  dd6e5e47dc2deac13db80cdd8824beac7386832a
- SHA256
  
  f23856d737f4ba1f44e51aef81b4b122e7cf0ffeb40d5665895588e6921b21bc
- SHA512
  
  22710365911cb82a284415ab3c783c35abd89b206f48518043b77627f37b462da6153ab0b98c522340c3de691c7f9196c5d2656f1736d60fd7588de9a4a1d265
- SSDEEP
  
  12288:dMlll/c8Z6/bFN8pgsxelo6Qz5OI7IHBxiHoGhsHx/6otQYKzJ4wNsmy1:AcPJo6QuHBxyxSHg67wJXNs31
Score

10^/10

formbook m10i discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookm10idiscoveryexecutionratspywarestealertrojan

behavioral2

formbookm10idiscoveryexecutionratspywarestealertrojan