formbook | fef0d0e16559f3c10c8a414b00433d165f132b4444ddc2a7033ab7a2e1bb7604 | Triage

Sharing

General

Target

RFQ 2411001.exe
Size

692KB
Sample

241004-gnlc2asanc
MD5

a4141cc2bdd9f0d2384da197fa0d7fc8
SHA1

81c10a379abde1a806828a649592e7fa21e5f8fb
SHA256

fef0d0e16559f3c10c8a414b00433d165f132b4444ddc2a7033ab7a2e1bb7604
SHA512

4cdf9bc063aa112a9079df7dc4d08784fd1e42c4d20a4000f55e951aadaf08115ae6a1f7a51fa8f77b036b4773b8d6f4940cd0ee8c9e77486017d13929c6a6f4
SSDEEP

12288:yLc6LweloldgJ4gD8sL0TPPuiUspz11KZt0P8x7qXZlpoqMu4UXL3LgkR:yJLweKdxg4C0zPrrpz1yUM0ht4UXjT

Score

10^/10

formbook c24t discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c24t

Decoy

ealthbridgeccs.online

ngelicais.art

uktuksu1.sbs

fapoker.asia

hecreature.tech

orenzoplaybest14.xyz

op-smartphones-deal.today

delark.click

7395.asia

otnews.cfd

j16e.xyz

oko.events

fscxb.top

roudtxliberals.vote

asas-br.bond

ourhealthyourlife.shop

fbpd.top

j9u9.xyz

uijiuw.top

aming-chair-37588.bond

Targets

- Target
  
  RFQ 2411001.exe
- Size
  
  692KB
- MD5
  
  a4141cc2bdd9f0d2384da197fa0d7fc8
- SHA1
  
  81c10a379abde1a806828a649592e7fa21e5f8fb
- SHA256
  
  fef0d0e16559f3c10c8a414b00433d165f132b4444ddc2a7033ab7a2e1bb7604
- SHA512
  
  4cdf9bc063aa112a9079df7dc4d08784fd1e42c4d20a4000f55e951aadaf08115ae6a1f7a51fa8f77b036b4773b8d6f4940cd0ee8c9e77486017d13929c6a6f4
- SSDEEP
  
  12288:yLc6LweloldgJ4gD8sL0TPPuiUspz11KZt0P8x7qXZlpoqMu4UXL3LgkR:yJLweKdxg4C0zPrrpz1yUM0ht4UXjT
Score

10^/10

formbook c24t discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookc24tdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookc24tdiscoveryexecutionratspywarestealertrojan