formbook | 1c7d8ace58257e970e2f7738886c596d8189f85cef9127dba9b324735f506821 | Triage

Sharing

General

Target

f691fb2c2b5183a496711a5b78b575ce.hta
Size

115KB
Sample

240923-wvbjqszcqa
MD5

f691fb2c2b5183a496711a5b78b575ce
SHA1

ce9603dd85d843e4fd9fa66843f46ca5ece4e260
SHA256

1c7d8ace58257e970e2f7738886c596d8189f85cef9127dba9b324735f506821
SHA512

ce1e7a6b64b0d14d1d42ddf134d5db74aa8a17c6945c32f17829fbce7f309bd8f34ac1d750548c66c1cf4dcbd234531c6f57e354ac5f605331d39a57d9bb11ba
SSDEEP

96:Ea+M7iHLlFPiJSHLqFPiJGkpmfORxcHLoHLDFPiJTHLQcAT:Ea+QiHJFPlHOFPhLHsHfFPmHcT

Score

10^/10

formbook j62t defense_evasion discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

j62t

Decoy

qualegacy.shop

ijngblv.top

hop-tiktok.top

nti-aging-66026.bond

ostashqiptare-al.info

faretireltd.info

dra.finance

arden-office-45382.bond

nair.today

dence.tokyo

omoantifragilis.net

eet-new-people-26331.bond

ocfamilyto.llc

roduct-tester-jobs-68513.bond

elestialaurelia.buzz

uzzbuilders.buzz

ryptofaucet.xyz

krfq.shop

jbhu.vip

uemw.top

Targets

- Target
  
  f691fb2c2b5183a496711a5b78b575ce.hta
- Size
  
  115KB
- MD5
  
  f691fb2c2b5183a496711a5b78b575ce
- SHA1
  
  ce9603dd85d843e4fd9fa66843f46ca5ece4e260
- SHA256
  
  1c7d8ace58257e970e2f7738886c596d8189f85cef9127dba9b324735f506821
- SHA512
  
  ce1e7a6b64b0d14d1d42ddf134d5db74aa8a17c6945c32f17829fbce7f309bd8f34ac1d750548c66c1cf4dcbd234531c6f57e354ac5f605331d39a57d9bb11ba
- SSDEEP
  
  96:Ea+M7iHLlFPiJSHLqFPiJGkpmfORxcHLoHLDFPiJTHLQcAT:Ea+QiHJFPlHOFPhLHsHfFPmHcT
Score

10^/10

formbook j62t defense_evasion discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Evasion via Device Credential Deployment
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookj62tdefense_evasiondiscoveryexecutionratspywarestealertrojan

behavioral2

formbookj62tdefense_evasiondiscoveryexecutionratspywarestealertrojan