formbook | 089d8381834066449bcd52d04db467353e195fe84745a8d2587bacf93802a706 | Triage

Sharing

General

Target

RFQ REF-JTCAJC-QINHP5-TIS-L0009- AL DHAFRA AL JABER - SUPPLY.exe
Size

586KB
Sample

241118-rgcgnasrfq
MD5

b8a2fa19e2418d7cb6c857ced026585e
SHA1

78e8aad0b3f3caf3058be5caed838fdb1764d233
SHA256

089d8381834066449bcd52d04db467353e195fe84745a8d2587bacf93802a706
SHA512

1f9525d6bac0c733af02983dcd1d02ad8acefef0d8e159aff498c250ae7e688baf552810e21a04136d7fb8243d8ffefcb493649845f7d9a1880f768be30cbdd1
SSDEEP

12288:vRQ9/s0yg2xIBqfmlnT9G5OmLVJ8MjRaEUuyZHYqEQTd1jCoBbBdr3GF8:mqmlnJGEmhHoEQZ1GoBF1q

Score

10^/10

formbook cd36 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cd36

Decoy

hongrobert.top

msurmis.online

tormdamageroof.net

riglashenie-svadby.store

otorcycle-loans-84331.bond

ouriptv.info

eportingcfo.top

2019.vip

ysphoto.online

hrivegorevx.info

350yhc.top

mwakop.xyz

antan4d-amp.xyz

pc-marketing-95267.bond

cuway.tours

inshiaward.top

akuzainu.fun

scenario.live

arrowlaboratorio.shop

nline-gaming-13926.bond

Targets

- Target
  
  RFQ REF-JTCAJC-QINHP5-TIS-L0009- AL DHAFRA AL JABER - SUPPLY.exe
- Size
  
  586KB
- MD5
  
  b8a2fa19e2418d7cb6c857ced026585e
- SHA1
  
  78e8aad0b3f3caf3058be5caed838fdb1764d233
- SHA256
  
  089d8381834066449bcd52d04db467353e195fe84745a8d2587bacf93802a706
- SHA512
  
  1f9525d6bac0c733af02983dcd1d02ad8acefef0d8e159aff498c250ae7e688baf552810e21a04136d7fb8243d8ffefcb493649845f7d9a1880f768be30cbdd1
- SSDEEP
  
  12288:vRQ9/s0yg2xIBqfmlnT9G5OmLVJ8MjRaEUuyZHYqEQTd1jCoBbBdr3GF8:mqmlnJGEmhHoEQZ1GoBF1q
Score

10^/10

formbook cd36 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcd36discoveryexecutionratspywarestealertrojan

behavioral2

formbookcd36discoveryexecutionratspywarestealertrojan