formbook

Resubmissions

17-10-2024 10:38

241017-mpe6astepd 10

17-10-2024 08:37

241017-kh5q9stcnp 10

17-10-2024 08:21

241017-j8y6qszbkf 10

Sharing

Copy URL

Twitter E-mail

General

Target

malw.exe
Size

581KB
Sample

241017-j8y6qszbkf
MD5

1728a3584f50d156a0cff349e336fcaf
SHA1

2a96f905684aac4d25f550f8121e08cf52bcd170
SHA256

d8829590bfc10cebf2fcaed57649932d199832cbe2a31bae2368d7d675a7002d
SHA512

56512a128e47bb296d82ea861da5ed694cecac4a726a8c1ce5b12ea8fdd34b22c7b8b632f57e1e30b62d6018cb778117b7cc60c7d25f0276bab47cbb8680a136
SSDEEP

12288:RzE2jI65WKDq+pmj9/uhvYGgNLU2/8Hf0uzBkhCVbcu9eQ:RzNnlDqamj9/WvYvIo6Chqcu

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

- Target
  
  malw.exe
- Size
  
  581KB
- MD5
  
  1728a3584f50d156a0cff349e336fcaf
- SHA1
  
  2a96f905684aac4d25f550f8121e08cf52bcd170
- SHA256
  
  d8829590bfc10cebf2fcaed57649932d199832cbe2a31bae2368d7d675a7002d
- SHA512
  
  56512a128e47bb296d82ea861da5ed694cecac4a726a8c1ce5b12ea8fdd34b22c7b8b632f57e1e30b62d6018cb778117b7cc60c7d25f0276bab47cbb8680a136
- SSDEEP
  
  12288:RzE2jI65WKDq+pmj9/uhvYGgNLU2/8Hf0uzBkhCVbcu9eQ:RzNnlDqamj9/WvYvIo6Chqcu
Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2