formbook | 4a29c020657514662d82cf92cf660922d45184e961473f08326817611afbbb94 | Triage

Sharing

General

Target

NEW ORDER.exe
Size

590KB
Sample

240924-qllqfszcrg
MD5

5c45a9c7ed0522b874a6b277a970fcdd
SHA1

01a55397aacac6bbd33c4e0a415c99b04bbd4b7a
SHA256

4a29c020657514662d82cf92cf660922d45184e961473f08326817611afbbb94
SHA512

e0279dfec3ffdaaeeabc2c9ee1a09932b726f5dfb3a239470308715a9b6091f0fc4e7bfd76694aa34f589e0d796f21f8b131bdf1db2bf79dd8682078d49bfe01
SSDEEP

12288:4S+iIkirVw9iEoElSoERcSltDrabRu6XDyjPu1ulxk/ReneD8bQb:4h2ihlEoGSDlVrV8WaulCwe0I

Score

10^/10

formbook g29o discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g29o

Decoy

edplanethomes.homes

aimin.club

amacheerguide.online

bcddpza.bond

ediamarketplace.online

ynasty.wine

hengsui.top

ousy.fashion

en-mud.xyz

etcall.tech

harity-50528.bond

iski.world

ikelai6.pro

areemeh.info

eitert-suhre-lengerich.audi

959725vkjdngl559.top

73qp28bu.autos

lassiin.shop

audementalplus.online

3win9.cyou

Targets

- Target
  
  NEW ORDER.exe
- Size
  
  590KB
- MD5
  
  5c45a9c7ed0522b874a6b277a970fcdd
- SHA1
  
  01a55397aacac6bbd33c4e0a415c99b04bbd4b7a
- SHA256
  
  4a29c020657514662d82cf92cf660922d45184e961473f08326817611afbbb94
- SHA512
  
  e0279dfec3ffdaaeeabc2c9ee1a09932b726f5dfb3a239470308715a9b6091f0fc4e7bfd76694aa34f589e0d796f21f8b131bdf1db2bf79dd8682078d49bfe01
- SSDEEP
  
  12288:4S+iIkirVw9iEoElSoERcSltDrabRu6XDyjPu1ulxk/ReneD8bQb:4h2ihlEoGSDlVrV8WaulCwe0I
Score

10^/10

formbook g29o discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookg29odiscoveryexecutionratspywarestealertrojan

behavioral2

formbookg29odiscoveryexecutionratspywarestealertrojan