formbook | e6e88a66deba0d9ed4021c491814969707034b0d459bb3144870d98b083131ba | Triage

Sharing

General

Target

19092024_0056_18092024_dekont.pdf.zip
Size

589KB
Sample

240919-bapweasdmd
MD5

b637c098c8cc6934e1487907553b00b6
SHA1

881ad773707a6713a6960e9348c052f6c9be7645
SHA256

e6e88a66deba0d9ed4021c491814969707034b0d459bb3144870d98b083131ba
SHA512

7ea783f1b9f96c59ea0b9ef880fda8685f8db57a825ccbb3a23018d4343f0364dff12e64ebf9dd73a2cfcc85d91f87d89baaf7a5261fc195660038ecbb9abd23
SSDEEP

12288:tDCzWf4Y0nBvCktKnRRe9kPMkAniIGtBaVOsp79TjC84GJZALOiSn95r30SA:JuWfRABakthaMkETGfawsaUZ4430R

Score

10^/10

formbook sx01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sx01

Decoy

r-salessolutions.xyz

jdh1.info

olar-panel-jobs-93084.bond

aebrasil.shop

oshua-xaaaa.buzz

xzkm.shop

nitedviplumbing.net

nnevateknoloji.xyz

rg-a.biz

indow-replacement-34091.bond

uyersagent3percent.net

ostbag.net

ibosolv.net

ahve.today

ophotshotjobs.today

emoreez.art

ift-chairs-94905.bond

okerdom-e.best

stagr.fun

irtyf-ingrancher.info

Targets

- Target
  
  rlxJk85y4E3Cu8R.exe
- Size
  
  797KB
- MD5
  
  4be5e463d0add883315a162191a36a4d
- SHA1
  
  2a23189d3da383aa49c07ca7e05bb943813662a1
- SHA256
  
  812d0912e299dbe0eff0078fcced87ffe5762b103a974dd19cdbb4c21294a193
- SHA512
  
  415a570ea23d12ca8d5f1d597f8373ffc4e57d05145c2a0666519a8b53852c2bd62895a7569abb2aeb8b5109434afe056129aa48124d0b10e147eab5a0c07435
- SSDEEP
  
  12288:DuEcsm04vbBoaGoE80Dir+hOsh79T3C8yG3ZAmwIDH2yZPZ6b1ID:1ct04+sE8wir+0s0wZ7D61ID
Score

10^/10

formbook sx01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooksx01discoveryexecutionratspywarestealertrojan

behavioral2

formbooksx01discoveryexecutionratspywarestealertrojan