formbook | 3a7dc3212715f3b446582cd50ae64325cfbb7e52ff909f29d8848cc2ce01ec97 | Triage

Sharing

General

Target

19092024_0958_18092024_Payment_Advice.7z
Size

897KB
Sample

240919-lzk9masekg
MD5

8e21dda7205fe7e71acae5ede9c07652
SHA1

19f1f5a30aca8fb078706d56408e5b3b18f80a53
SHA256

3a7dc3212715f3b446582cd50ae64325cfbb7e52ff909f29d8848cc2ce01ec97
SHA512

d9962c53268c732973fdba67b32c414e8fdae1d71a6653cddc96acaa5ddffdeeff568bada66486c7b66b40c2727a09f8eee1fc0e11592b84dca32669b38b9d6d
SSDEEP

24576:ne7i6J43XROa3KbhkNmLOzjBqnSu6nIhe+EZhuCNYM17:RUOROa3KVLOz9sSHnn+wUk

Score

10^/10

formbook o52o discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o52o

Decoy

ckroom.xyz

apanstock.online

6dtd8.vip

phone-in-installment-kz.today

ichaellee.info

mpresamkt38.online

ivein.today

78cx465vo.autos

avannahholcomb.shop

eochen008.top

rcraft.net

eth-saaae.buzz

ifxz.info

flegendarycap50.online

reon-network.xyz

ee.zone

ameralife.net

5en4.shop

eal-delivery-34026.bond

anion.app

Targets

- Target
  
  Payment_Advice.exe
- Size
  
  1.0MB
- MD5
  
  add709d038a82c079c278675fdeb601e
- SHA1
  
  79b66e80396e26b4d4dbf7d091dc3c24a65d9e69
- SHA256
  
  deb20efb8b69c1261327f9d75eb26d41338f447cacfa439c69a1e7dc3272e69e
- SHA512
  
  8cbc6b8ca79a52541eb9711f05952e151eb106548281c6ced261c64953302513db05961b74b2f5790c76f2a5383710093a49d70a8ded195a82bc6a0cbf3839c2
- SSDEEP
  
  24576:VN/BUBb+tYjBFHFNiy6FI9Dh7wESIuy8EY7X1zJ54D+q0lPBzkFwIW:/pUlRhFQynRSLy8EY7X1zJ5w+JPBAwIW
Score

10^/10

formbook o52o discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooko52odiscoverypersistenceratspywarestealertrojan

behavioral2

formbooko52odiscoverypersistenceratspywarestealertrojan