formbook | 1c7787b9440e1831958e911d164064869f45e254a0a3cdc53d9ef70b1bfc7dd3 | Triage

Resubmissions

09-11-2024 17:20

241109-vwrrns1pdm 10

09-11-2024 14:21

241109-rnzkrswdpq 10

Sharing

General

Target

1c7787b9440e1831958e911d164064869f45e254a0a3cdc53d9ef70b1bfc7dd3
Size

1.2MB
Sample

241109-vwrrns1pdm
MD5

d578645f073f91a510a5310727891da5
SHA1

4d18aef7bbb41099f84544c1b44597912cf2365e
SHA256

1c7787b9440e1831958e911d164064869f45e254a0a3cdc53d9ef70b1bfc7dd3
SHA512

6aef4b711df2503215e4722f57eac2f986e4820fb52b5eff280ac6768a7b50a6acf6f8dda2bb455ef3f263a12864df57d9f005035f86b621ff7f44164b22b0ee
SSDEEP

24576:RHd0Wk9/OG1xlMZH7coVjFCHrDKWmKWlIieiNx+7Ja1ZM4tHZSQwJj:R90Wk9WWlmbjWHKXnlIhirdDMOm

Score

10^/10

formbook oa09 discovery evasion persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oa09

Decoy

grit.careers

kingthaivegas.com

onwingirisleri.net

radio-jesus.com

forestfairiesnft.com

healthyintimatelifestyle.africa

karamoghanasti.africa

gqujtf.com

chaindenmark.com

netzerosemitechnologies.co.uk

kakekpecah1000.com

fiddler-foaled.click

adventurepsychologist.com

miletong.net

discounttirestoresinc.com

goldmanmediaent.com

entsorgunglangnau.ch

brezop.xyz

24-02-2022.site

artificialgrassminneapolis.com

Targets

- Target
  
  FEDEX TRN 771893954554.exe
- Size
  
  2.2MB
- MD5
  
  22b365e10dd635468212251994b194bf
- SHA1
  
  069d6d2395ec518d0156b6d02519d3b8e896e5b5
- SHA256
  
  7f9b8fcc527d02e66b49d76ff52297d69dbf237a8dd4342fdf3f49a2189c67d0
- SHA512
  
  fbb27e9c38a6f351edd756b00227c42b98bf08c89c1c85e3b74462a381b61e4347972f373327f540b5744ef661ed0c1b3072b188616d5a5950478720bddefb1b
- SSDEEP
  
  24576:iB26eZ4fTPkhZ2PAG0pMn6+YZ8IOxSD68Q81Zr6kNefAd/YK2HzQX9Kub+YSgrBK:Zhhj+EbjDE81R6iY7O
Score

10^/10

formbook oa09 discovery evasion persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- YARA rule for Mozi IoT Botnet
  Mozi IoT Botnet detection.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookoa09discoveryevasionpersistenceratspywarestealertrojan