formbook | 8ef601ca3c9f083d30e8c32c00ebe899cdf8129b5e9c7e6a38c28c84aeddc19e | Triage

Sharing

General

Target

DA_2024.23.10.pdf.exe
Size

701KB
Sample

241023-mzg3mswcrb
MD5

38f2a78cdc03a61eac542c14d588472e
SHA1

fb00cd6efd6551c03e44e9344e8a1e7b4cd33745
SHA256

8ef601ca3c9f083d30e8c32c00ebe899cdf8129b5e9c7e6a38c28c84aeddc19e
SHA512

0203ed0dc3353de5da8878b12b66914f26e2dbe97d039a61387f1603091f5d06c1facf99aa4e760fa3e6dea67bc271d0927e21cdc848b6d316dfcbec7f24af03
SSDEEP

12288:Cb6qGanC0p78kt3doR6eOAZuYSut8p55hlOvGTw3bAC6cLqPz6qMtsj:CbcaC0B8k5SVOAZuuWdhl2Qw3VHLq+HS

Score

10^/10

formbook m17o discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m17o

Decoy

kzqh72.top

arket-obybqq.xyz

afechoice.click

ote-knplpa.xyz

aqgpie.xyz

orker-ornp.xyz

he-beds321.today

ut-nlvv.xyz

31231827.xyz

milymariephotography.net

wquqo.click

veu-where.xyz

mjcpo-pick.xyz

yself-lpnbdl.xyz

austoowagosha.net

ive-wgag.xyz

lay-drift-palace.xyz

old-vubgv.xyz

ideo-shooting-courses.today

ntendsisaiasjazmin.shop

Targets

- Target
  
  DA_2024.23.10.pdf.exe
- Size
  
  701KB
- MD5
  
  38f2a78cdc03a61eac542c14d588472e
- SHA1
  
  fb00cd6efd6551c03e44e9344e8a1e7b4cd33745
- SHA256
  
  8ef601ca3c9f083d30e8c32c00ebe899cdf8129b5e9c7e6a38c28c84aeddc19e
- SHA512
  
  0203ed0dc3353de5da8878b12b66914f26e2dbe97d039a61387f1603091f5d06c1facf99aa4e760fa3e6dea67bc271d0927e21cdc848b6d316dfcbec7f24af03
- SSDEEP
  
  12288:Cb6qGanC0p78kt3doR6eOAZuYSut8p55hlOvGTw3bAC6cLqPz6qMtsj:CbcaC0B8k5SVOAZuuWdhl2Qw3VHLq+HS
Score

10^/10

formbook m17o discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookm17odiscoveryexecutionratspywarestealertrojan

behavioral2

formbookm17odiscoveryexecutionratspywarestealertrojan