formbook | 89ae7b9ef0c8808f0f84c668065771881555164872af93422ba83745a12c359f | Triage

Sharing

General

Target

5089124.zip
Size

549KB
Sample

240924-l8wrqatgnc
MD5

67a728944e149a7dd20ffe39a367c16c
SHA1

738c63920e8f087022b5d207258e619838342f40
SHA256

89ae7b9ef0c8808f0f84c668065771881555164872af93422ba83745a12c359f
SHA512

affd5b8028bf8fa9a3b0a011c1f8398dbe5a90d87aa607bf2a8cf8cf7d9d2ffb83db751767ce6a737f2bdf4088a9336caa118e6570aa10b33514c24f26b1d65b
SSDEEP

12288:GsUrjw3tPl2w551WnB1Zdzd4SjNOnBmg2i43nsL58iNIhpx:Pi8J/aBHdzuENWBmgpnL58+cf

Score

10^/10

formbook c24t discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c24t

Decoy

ealthbridgeccs.online

ngelicais.art

uktuksu1.sbs

fapoker.asia

hecreature.tech

orenzoplaybest14.xyz

op-smartphones-deal.today

delark.click

7395.asia

otnews.cfd

j16e.xyz

oko.events

fscxb.top

roudtxliberals.vote

asas-br.bond

ourhealthyourlife.shop

fbpd.top

j9u9.xyz

uijiuw.top

aming-chair-37588.bond

Targets

- Target
  
  5089124.exe
- Size
  
  603KB
- MD5
  
  5a7b139855700ca803dbc54daa52567e
- SHA1
  
  ed76b03d085d9a11a410c4f2bfa056d6c9639176
- SHA256
  
  223786813c2b26e84549506a10b63d6a7c619f99551cf4abaf636d1588f8a001
- SHA512
  
  64def05a152fc1c10ef1c8d27e27ef33338dabb5665d8d6897f6d7db0388cfbfc2a42a808ecdda96ce32d7dd14221ba4c84a22333626f26b40036fd0a83d6d2c
- SSDEEP
  
  12288:QOq8bQbKxrRaWJyBpk5Qs+/hsJntO3XOJWkdzdwSjNenBr0Q+p/PKxxQtmvV:Q0IKxhJwkO/intOOJNdz6ENGBYTZaN
Score

10^/10

formbook c24t discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookc24tdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookc24tdiscoveryexecutionratspywarestealertrojan