formbook | 36e8f30c3b2c7de1173d7b6e14b44c0f4141943a4f92f7e47c88e4cf29099da3 | Triage

Sharing

General

Target

21112024_1248_dte56u.zip
Size

606KB
Sample

241121-p1th6sslet
MD5

bf456e41aa028ef43e471b741f186748
SHA1

5cf51973f6c4f8d778ea655483737db0c766cd3d
SHA256

36e8f30c3b2c7de1173d7b6e14b44c0f4141943a4f92f7e47c88e4cf29099da3
SHA512

a85a7796d2beee3f6ac7dd0d869f1eb2c363f072eefc9327c384de3b580184e6a5a02cfb2ee8fc5f46ceb4e0d06a1ef2c9b20cc04c11dbb8e52b695b24ffce68
SSDEEP

12288:9MCcBOxWWBbD2BWKwUDG5ucPJegw18z++2egt4jPr8P95mxB3wxk1:RxWkbodDGdxeXE2ehXG9YxB3w+1

Score

10^/10

formbook cd36 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cd36

Decoy

hongrobert.top

msurmis.online

tormdamageroof.net

riglashenie-svadby.store

otorcycle-loans-84331.bond

ouriptv.info

eportingcfo.top

2019.vip

ysphoto.online

hrivegorevx.info

350yhc.top

mwakop.xyz

antan4d-amp.xyz

pc-marketing-95267.bond

cuway.tours

inshiaward.top

akuzainu.fun

scenario.live

arrowlaboratorio.shop

nline-gaming-13926.bond

Targets

- Target
  
  BOQ & SPECS-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe
- Size
  
  691KB
- MD5
  
  8f91e7ab8e06bf58adf2509e93159a5d
- SHA1
  
  2d2fea690c15c4bfe9f9ca4c0b8b8cc509d7daac
- SHA256
  
  5cd64ae8366b7fa1f1dc762013e0fe8e30caa6c6aa50a0df07cf3a953de6749c
- SHA512
  
  6bd3689dc70b7a033f152e21c02d5c1ce01db3cd7898d884b24762a90ff2c2c52b5b58853797601fdc4d702a2b557e2d86d098fe7084121da464d48907ef856d
- SSDEEP
  
  12288:sH3wtfRzxWWgA2ymE5HhizN0PUWesw18zm+gem395mSVb2h17pcU:sHMpzxWNbymCHhizqpeDCgeU9Y
Score

10^/10

formbook cd36 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcd36discoveryexecutionratspywarestealertrojan

behavioral2

formbookcd36discoveryexecutionratspywarestealertrojan