formbook | 48c0b8ae821d511d0bda3545162ac9995e9f6a6368a60fc43de149c6f35cc07d | Triage

Sharing

General

Target

48c0b8ae821d511d0bda3545162ac9995e9f6a6368a60fc43de149c6f35cc07d
Size

605KB
Sample

240930-l7djratfjb
MD5

3cf1095b5fee51c851248f90301670aa
SHA1

dd4380b1dce3571448b49f97ddf6fd0255a9dfa6
SHA256

48c0b8ae821d511d0bda3545162ac9995e9f6a6368a60fc43de149c6f35cc07d
SHA512

4048cb6c79ab1f5a7142d1e0fbc569ef5cbc793d7d157d86d15b1b52cadf767b913c266e4814559631a96eae32fda9a8ae9e42b6fc59fcc8c14bdf5bb8d75517
SSDEEP

12288:1YMVvOO2gthIef+D+9+ORkTCYUVvXAjtiEQy7fF9XybamaqAJAEV:1DVG9ytD9FRkWYSXAjtnPfXeabiEV

Score

10^/10

formbook c24t discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c24t

Decoy

ealthbridgeccs.online

ngelicais.art

uktuksu1.sbs

fapoker.asia

hecreature.tech

orenzoplaybest14.xyz

op-smartphones-deal.today

delark.click

7395.asia

otnews.cfd

j16e.xyz

oko.events

fscxb.top

roudtxliberals.vote

asas-br.bond

ourhealthyourlife.shop

fbpd.top

j9u9.xyz

uijiuw.top

aming-chair-37588.bond

Targets

- Target
  
  10 1102-013-24-117.exe
- Size
  
  723KB
- MD5
  
  136dcc6497b13fe87bbad4aa5f859593
- SHA1
  
  9da85420d2681d65df6757f44a0c8055ce6c1fba
- SHA256
  
  c89c37f0b5dc89251da6c37aa8e1071c43d52c80fd2326f1e6de8dcd5eaf0dfc
- SHA512
  
  5e842aa0858845c4322c847fd2497cfe515a2ed62e36337978a020c061d6555cb19dbac58c6c988a97d3bfd88de66bfc4a4e96bf1c46e78d94c2435051cd1c91
- SSDEEP
  
  12288:21ZF8Kz3TPb4DryC6L1+0rs/yo05u30HzdHpGo1UV60QFLZSkR:2yeyrUp1o/4HiV60sZh
Score

10^/10

formbook c24t discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookc24tdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookc24tdiscoveryexecutionratspywarestealertrojan