formbook | d3714ea47bc57e3b1e6ba1d0b39e3ba7a6c3a42cee183fa01376187c7dfe2c0f | Triage

Sharing

General

Target

BOQ & SPECS-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe
Size

726KB
Sample

241106-hlb71swbkc
MD5

fc05c665733c45bb46afc43ebd0631d1
SHA1

ef76ac3e1792637fa7735caf3409048b9f974c4d
SHA256

d3714ea47bc57e3b1e6ba1d0b39e3ba7a6c3a42cee183fa01376187c7dfe2c0f
SHA512

7ee463c05809ff5f440d4f11dac6b3edd48b849f862713db617f98d1966d919c4b7867c4f9d64254ae995de41f95371ff1e4dbaac215f5fa68eb91e869f9560b
SSDEEP

12288:1ZpAuSIzQSIbCmmAQSxv0i/Xhdl5rcoZ4mtdxwwk6GY4bX2:3lQFjmAV7/XhxrcoCm7mPDm

Score

10^/10

formbook rp26 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rp26

Decoy

rn3grmg9.sbs

4644.one

18tbo.com

c9max.shop

8914.loan

eptacore.xyz

ormto.website

vcreative.store

anglaoshi13.buzz

ewa123.bid

vantiverdeoficial.shop

sik89starwin.fun

niquestorebd.xyz

assword-manager-41452.bond

uccessproit.shop

kl1tuvy0.asia

titchinheavenqs.shop

w178.top

errari-mieten-dubai.click

ba-103mu.net

Targets

- Target
  
  BOQ & SPECS-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe
- Size
  
  726KB
- MD5
  
  fc05c665733c45bb46afc43ebd0631d1
- SHA1
  
  ef76ac3e1792637fa7735caf3409048b9f974c4d
- SHA256
  
  d3714ea47bc57e3b1e6ba1d0b39e3ba7a6c3a42cee183fa01376187c7dfe2c0f
- SHA512
  
  7ee463c05809ff5f440d4f11dac6b3edd48b849f862713db617f98d1966d919c4b7867c4f9d64254ae995de41f95371ff1e4dbaac215f5fa68eb91e869f9560b
- SSDEEP
  
  12288:1ZpAuSIzQSIbCmmAQSxv0i/Xhdl5rcoZ4mtdxwwk6GY4bX2:3lQFjmAV7/XhxrcoCm7mPDm
Score

10^/10

formbook rp26 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookrp26discoveryexecutionratspywarestealertrojan

behavioral2

formbookrp26discoveryexecutionratspywarestealertrojan