formbook | c8f65c12fb6f421428217e6f7bc772e3b2608b14ce4cc178292f403edf7bf989 | Triage

Sharing

General

Target

c8f65c12fb6f421428217e6f7bc772e3b2608b14ce4cc178292f403edf7bf989
Size

554KB
Sample

240925-14nmwatele
MD5

302d51e2be57498c1ce9d49a74648cc0
SHA1

cfd7ddb3143de57d0de423cdf4d37f988b308f8f
SHA256

c8f65c12fb6f421428217e6f7bc772e3b2608b14ce4cc178292f403edf7bf989
SHA512

c77dcf41cfee1c9a2975aad970a2197f5d4bd1bec5d52f733220a95462b05f3d9a28d6ac6a4556f022003ec04cbe5993679ee81a8b0c144c7d416594046c638b
SSDEEP

12288:fWDCZXRJycosLY51VjVbKaIf7PV1AYUV4j1sePN+AVwOUkL:ODeXjycufVRb+JRU2e1eUkL

Score

10^/10

formbook c24t discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c24t

Decoy

ealthbridgeccs.online

ngelicais.art

uktuksu1.sbs

fapoker.asia

hecreature.tech

orenzoplaybest14.xyz

op-smartphones-deal.today

delark.click

7395.asia

otnews.cfd

j16e.xyz

oko.events

fscxb.top

roudtxliberals.vote

asas-br.bond

ourhealthyourlife.shop

fbpd.top

j9u9.xyz

uijiuw.top

aming-chair-37588.bond

Targets

- Target
  
  Payment advice.exe
- Size
  
  688KB
- MD5
  
  a7858d093f5f0f3315109c6c24ed7c2e
- SHA1
  
  ec87e2226e81046e891eef71a5170428b3133403
- SHA256
  
  6f060cc85631ddca9a23b6a588bea990b0fd6b24fedc18021aae81aa3ed10fdc
- SHA512
  
  74a8d5d01a4c7305c292774826d36742bfdbaa315e5b5bf5dd03a2a8f2455bc6db7bb0a17b73f9359ec7a3bd0f295dcd8e274c510c48ee193837fb6eef98505b
- SSDEEP
  
  12288:EI8FcsaCZXRpyCosDf8DYkC4cQ6ysNvPTSveFvo/P79byB:J8FcsaeX3yCpf8OusNWx/5b
Score

10^/10

formbook c24t discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookc24tdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookc24tdiscoveryexecutionratspywarestealertrojan