formbook | 449b420eee40904b0196acfaaaa7e7f2d6016c4490b7cdee4ec99a1bfd300b36 | Triage

Sharing

General

Target

28092024_0814_26092024_cotización pdf.exe.xz
Size

744KB
Sample

240928-j454gsvhrn
MD5

c1885f0bc91df4128cdd590a2a29c647
SHA1

4e9e19fcd57a2a57e314b7351810b584ed836700
SHA256

449b420eee40904b0196acfaaaa7e7f2d6016c4490b7cdee4ec99a1bfd300b36
SHA512

2e2046b77f43ad46571a1af86320c7343d8e19569a46b238816addd042bf177d86b6a5a6b1577c16fc66ef0c6fd00a5db61490181dd5b3b46ee6801833d95e77
SSDEEP

12288:EUnNmzbGChuk47f3DHSk62Crn6oTfjuLYa68KDba4xhFvWICMmTIKYYKD/tRQOE:7NmlQrTykpCrCLYa68K1FvWIcUKYYQ/8

Score

10^/10

formbook kmge discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

- Target
  
  28092024_0814_26092024_cotización pdf.exe
- Size
  
  1.6MB
- MD5
  
  519ab1c94ac812416544cffb1dba0ff6
- SHA1
  
  19b2be0e160f41d59744c886b39c9c8583ad6993
- SHA256
  
  e4247c7d552dd305606a2e6eb656dff526199c4afc9b46e00e957bc122444604
- SHA512
  
  ce10933d68f56241e5ee0a2b232376dda8cad05e06a1ae15ff91fd07e079a007941001f5c0880ff13bb8d51fed72d9e5bbd1a2733448aa902b1356819fd2cc75
- SSDEEP
  
  49152:sAodtaG9kS2U84B+FLan9k5TRM9zlpVjmi84:c/B1h
Score

10^/10

formbook kmge discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookkmgediscoveryexecutionratspywarestealertrojan

behavioral2

formbookkmgediscoveryexecutionratspywarestealertrojan