formbook | fe32cd498b7f031639961bfb962d1289896a3667f38f06f801b2c5d97d0b5906 | Triage

Sharing

General

Target

Richiesta di ordine di acquisto.bat.exe
Size

557KB
Sample

241015-m2tjfszhna
MD5

dcd9c57244a83cd35adfa45b77ff067d
SHA1

27ce5b224de70dc03e543f83e552327fc3cbf867
SHA256

fe32cd498b7f031639961bfb962d1289896a3667f38f06f801b2c5d97d0b5906
SHA512

6dd0a11d6200468fcc443f783e6398d99c332d92d8e85631476594fefb6ac5cb1f55eed06c82eb8b5c42af22bb2a583e6113bb5038ad6de5d84c9e6395efa5d3
SSDEEP

12288:BIUSS6lepp01pb58OeBtvu0d8GEoZY9Eqtf7wIRFj:BmS7pmpReBt2NFoZYSOwIRF

Score

10^/10

formbook cu29 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cu29

Decoy

qidr.shop

usinessaviationconsulting.net

68716329.xyz

nd-los.net

ealthironcladguarantee.shop

oftware-download-69354.bond

48372305.top

omeownershub.top

mall-chilli.top

ajakgoid.online

ire-changer-53482.bond

rugsrx.shop

oyang123.info

azino-forum-pro.online

817715.rest

layman.vip

eb777.club

ovatonica.net

urgaslotvip.website

inn-paaaa.buzz

Targets

- Target
  
  Richiesta di ordine di acquisto.bat.exe
- Size
  
  557KB
- MD5
  
  dcd9c57244a83cd35adfa45b77ff067d
- SHA1
  
  27ce5b224de70dc03e543f83e552327fc3cbf867
- SHA256
  
  fe32cd498b7f031639961bfb962d1289896a3667f38f06f801b2c5d97d0b5906
- SHA512
  
  6dd0a11d6200468fcc443f783e6398d99c332d92d8e85631476594fefb6ac5cb1f55eed06c82eb8b5c42af22bb2a583e6113bb5038ad6de5d84c9e6395efa5d3
- SSDEEP
  
  12288:BIUSS6lepp01pb58OeBtvu0d8GEoZY9Eqtf7wIRFj:BmS7pmpReBt2NFoZYSOwIRF
Score

10^/10

formbook cu29 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcu29discoveryexecutionratspywarestealertrojan

behavioral2

formbookcu29discoveryexecutionratspywarestealertrojan