formbook | 6c13b65c7ffaef21388c60cc2be3370b35a729eb9e8986ce1abd3303e144896f | Triage

Sharing

General

Target

6c13b65c7ffaef21388c60cc2be3370b35a729eb9e8986ce1abd3303e144896f
Size

1.0MB
Sample

241106-qzbgmszpex
MD5

5097fe796d4bca99a3d79998c27116cd
SHA1

2e78d6968f547a5d70e5795ce89cbd51a06a90fa
SHA256

6c13b65c7ffaef21388c60cc2be3370b35a729eb9e8986ce1abd3303e144896f
SHA512

d5c8c470c6496e4bc0fc1781f59cbd19f7a96d8cc98d3a5a5956123761bac1f7a635db3b908050652cb42a7ee2f0cd924cb5809239291d5ac3b5c2d723389180
SSDEEP

24576:hN/BUBb+tYjBFHNhz6FI9Dh7WinTX1zJ54D+q0lPBzkFy:jpUlRhPzna4X1zJ5w+JPBAy

Score

10^/10

formbook o52o discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o52o

Decoy

ckroom.xyz

apanstock.online

6dtd8.vip

phone-in-installment-kz.today

ichaellee.info

mpresamkt38.online

ivein.today

78cx465vo.autos

avannahholcomb.shop

eochen008.top

rcraft.net

eth-saaae.buzz

ifxz.info

flegendarycap50.online

reon-network.xyz

ee.zone

ameralife.net

5en4.shop

eal-delivery-34026.bond

anion.app

Targets

- Target
  
  6c13b65c7ffaef21388c60cc2be3370b35a729eb9e8986ce1abd3303e144896f
- Size
  
  1.0MB
- MD5
  
  5097fe796d4bca99a3d79998c27116cd
- SHA1
  
  2e78d6968f547a5d70e5795ce89cbd51a06a90fa
- SHA256
  
  6c13b65c7ffaef21388c60cc2be3370b35a729eb9e8986ce1abd3303e144896f
- SHA512
  
  d5c8c470c6496e4bc0fc1781f59cbd19f7a96d8cc98d3a5a5956123761bac1f7a635db3b908050652cb42a7ee2f0cd924cb5809239291d5ac3b5c2d723389180
- SSDEEP
  
  24576:hN/BUBb+tYjBFHNhz6FI9Dh7WinTX1zJ54D+q0lPBzkFy:jpUlRhPzna4X1zJ5w+JPBAy
Score

10^/10

formbook o52o discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooko52odiscoverypersistenceratspywarestealertrojan

behavioral2

formbooko52odiscoverypersistenceratspywarestealertrojan