formbook

Resubmissions

10-10-2024 13:28

241010-qqpb5sxfle 10

10-10-2024 13:25

241010-qnxwhaxemd 10

10-10-2024 13:19

241010-qkwt2asfrm 10

10-10-2024 13:14

241010-qg5mrsxcmh 10

Sharing

Copy URL

Twitter E-mail

General

Target

malw.exe
Size

751KB
Sample

241010-qg5mrsxcmh
MD5

cd4ee0d6ce4f0fcc5105b1601946d94c
SHA1

a1b22767415d6230e9f2442f75b64a948759b8f2
SHA256

000948ea48835dd2fe087ca6b042eabbf280ac93fe2eb94558995a3a9db0b8a9
SHA512

2565e81816c7896db100e5ade16f456c76ee9b711d672711845b89d578a767077836510185fd605db3eefcdf1a1ced3a56e409bfae42f4f3f954d4f1ebaee5b5
SSDEEP

12288:v39mEqOVzmIJnfTu6EKrVwTBbHsot5ZeVK7EWWlPYnlMWn:vIEqE6sTxBwBtve0WRnW

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t18n

Decoy

tmusicoregon.net

atici.online

j7u7.xyz

iewunucierwuerwnziqi1.info

ruvabetgiris.website

acik.lat

obsk.top

sphaltpaving-ttp1-shd-us-2.shop

ispensarynearme.news

b3nd.bond

urelook.xyz

gearlpfbm.top

aconstructionjob.bond

killsnexis.info

oshon.xyz

ashabsxw.top

ussiatraiding.buzz

raipsehumus.homes

6ae23rx.forum

edar88vvip.shop

Targets

- Target
  
  malw.exe
- Size
  
  751KB
- MD5
  
  cd4ee0d6ce4f0fcc5105b1601946d94c
- SHA1
  
  a1b22767415d6230e9f2442f75b64a948759b8f2
- SHA256
  
  000948ea48835dd2fe087ca6b042eabbf280ac93fe2eb94558995a3a9db0b8a9
- SHA512
  
  2565e81816c7896db100e5ade16f456c76ee9b711d672711845b89d578a767077836510185fd605db3eefcdf1a1ced3a56e409bfae42f4f3f954d4f1ebaee5b5
- SSDEEP
  
  12288:v39mEqOVzmIJnfTu6EKrVwTBbHsot5ZeVK7EWWlPYnlMWn:vIEqE6sTxBwBtve0WRnW
Score

10^/10

formbook t18n discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2