formbook | 32f5b8e667b553b315081b67b675824e7c8b4a54ec310fb3eb4fd4cc6f9cd487 | Triage

Sharing

General

Target

14102024_1407_12102024_DEBIT NOTE - JJ SUN 2439S - TRHU8130777 - SHHPG24177569.rar
Size

548KB
Sample

241014-rff4fstamr
MD5

640a8314ee8e50588fa933fb411757b5
SHA1

9acc4e383f8b0605f7918820ca6250225035c7c8
SHA256

32f5b8e667b553b315081b67b675824e7c8b4a54ec310fb3eb4fd4cc6f9cd487
SHA512

616b3b4907c9ac470b591db1455c50f44fad3974382e47cb383f744a705dc30b5ba545f73ecfde5037abede9688e294f8f56374eed0b4d6d7d6f76ced0230d42
SSDEEP

6144:16BC7gnxrkgTAPGrGD6I1+e8Tt3+mPyg7o2qJRD+IGnT2NNgBa6OSbkDyYZ1MZab:eLUPGil4tyGqP+IGT2UTOSm3BT0m

Score

10^/10

formbook cu29 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cu29

Decoy

qidr.shop

usinessaviationconsulting.net

68716329.xyz

nd-los.net

ealthironcladguarantee.shop

oftware-download-69354.bond

48372305.top

omeownershub.top

mall-chilli.top

ajakgoid.online

ire-changer-53482.bond

rugsrx.shop

oyang123.info

azino-forum-pro.online

817715.rest

layman.vip

eb777.club

ovatonica.net

urgaslotvip.website

inn-paaaa.buzz

Targets

- Target
  
  DEBIT NOTE - JJ SUN 2439S - TRHU8130777 - SHHPG24177569.bat
- Size
  
  621KB
- MD5
  
  b631685c5ef9ee26ded25c76ab3eda27
- SHA1
  
  03696b36c4838440cf8def9687117745c9edbd19
- SHA256
  
  a6d2a47171f9630a8db62eb4001e196dfbad94cf40638e108cc649883d1bc069
- SHA512
  
  62fe2308ad1490495ec283027e2f07c7d5179ba9a327791de0b98a5f29db4ea3c721d3866674cedcb4033153ff5515d7f5bdc17d547191519dba70cd1c483134
- SSDEEP
  
  12288:tLczRLw1+27aPipUXT8eseyW2dv1WlYpXJk1jJT8CWqpqJ4uSYGExH0z:dctLw1+AaPOUXIjew1Umsj+0q2
Score

10^/10

formbook cu29 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcu29discoveryexecutionratspywarestealertrojan

behavioral2

formbookcu29discoveryexecutionratspywarestealertrojan