formbook | 0ed2742388b2b9e44e5ca08e817ac9a31a020324577ccf47f7c1078a5009df5a | Triage

Sharing

General

Target

123.7z
Size

560KB
Sample

241105-krvyesyfnq
MD5

27a9d57d79da312d652eb1a8e6e16e29
SHA1

a283cc7832e38ac3cc679b623d2062653e8b5583
SHA256

0ed2742388b2b9e44e5ca08e817ac9a31a020324577ccf47f7c1078a5009df5a
SHA512

6a8075e8ce7323528ef9c858935d23b1d38c6dda164aaaf870d0b70eb6655ca9fbc7a27d422b52295af5e9d9be0707338d4e5fe559634b7035f2c0c5e0075c2a
SSDEEP

12288:mbB/HqFuF3UjB4ksDlerYDTf2cu1ztnEaWdpBYnbsAfzctugTp1EBr6:mbBCglUSkC9TOcEtEaqBAQ6YogTp1E0

Score

10^/10

formbook cd36 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cd36

Decoy

hongrobert.top

msurmis.online

tormdamageroof.net

riglashenie-svadby.store

otorcycle-loans-84331.bond

ouriptv.info

eportingcfo.top

2019.vip

ysphoto.online

hrivegorevx.info

350yhc.top

mwakop.xyz

antan4d-amp.xyz

pc-marketing-95267.bond

cuway.tours

inshiaward.top

akuzainu.fun

scenario.live

arrowlaboratorio.shop

nline-gaming-13926.bond

Targets

- Target
  
  123.exe
- Size
  
  697KB
- MD5
  
  6ef6d9ab38e828238dd6b2e31d020098
- SHA1
  
  2664e77a7b72bad3ed91f65ce33bbe85a31b1e12
- SHA256
  
  4e7468981f7c2449a90d01304d8404c29f220610d6865ee0e5742b23bbbddfee
- SHA512
  
  86b8f003a939f29f93de058a47cb0561f6b0a3d9f4ffd9d51d2b800613ebf53a80f0c530f9d9dcab9e250b44d6d94a7c9af3826289475de598211080ec450837
- SSDEEP
  
  12288:5lxSqVhZfm4/EXm9keTTBkYk6BaGLJkM5iUjZuXgp0xr9NkR8fsbT8fgf:ZSqV/fPZGe3A6BaGLqM5iUj0v9NkSUa
Score

10^/10

formbook cd36 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcd36discoveryexecutionratspywarestealertrojan

behavioral2

formbookcd36discoveryexecutionratspywarestealertrojan