formbook | 9f2d144187fc0d57f06eb152310bc2c5b0804f26419e75cb2145437ab46f4a4a | Triage

Sharing

General

Target

Quotation_Dec 2024.rar
Size

9KB
Sample

241206-s56wvavlaz
MD5

a923e4fa092152cefdcb8e9fc5e44184
SHA1

efc1f4847e442ecc711e0b43dda911dd50d6c1aa
SHA256

9f2d144187fc0d57f06eb152310bc2c5b0804f26419e75cb2145437ab46f4a4a
SHA512

033820b066c4432686bdf91a14ededd04d8700294190e2d37680383395ddaf4905b1b14cf4e2be48241ed1e287bfa1d9b4ed16d191e514f08efc8afc98e95d4a
SSDEEP

192:QA1hRb0m3yEoi31u9x9K4nuFl9Oot7PqmDqxi3Q5TRpjetB5XQ:QMIwTsNuFDzt7PrQn+BNQ

Score

10^/10

formbook o62s agilenet discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o62s

Decoy

lectrobay.shop

enisehirarnavutkoy.xyz

itoolz.net

otorcycle-loans-40378.bond

opjobsinusa.today

uara228j.shop

ukulbagus10.click

enhealth07.shop

cpoker.pro

ome-remodeling-16949.bond

andu.shop

hubbychicocharmqs.shop

onghi292.top

ussines-web-creators.net

alenspencer.online

ryptogigt.top

epiyiisigorta.online

ental-implants-77717.bond

juta.click

enisehirevleriarnavutkoy.xyz

Targets

- Target
  
  Quotation_Dec 2024.exe
- Size
  
  28KB
- MD5
  
  5ad176cf9482ccedc206fca269089b25
- SHA1
  
  0b917af3c99023327127aa034d3904888029e2d3
- SHA256
  
  7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021
- SHA512
  
  9e9c68cd8467f5b08f514b2315025f9e863f66a2d5746f54b5d7d5df89e8b6e9c232bca3fbfedfd6450b2d1ccb37bbd630ea95c0c1bdd5150acd73fb0841d580
- SSDEEP
  
  192:+YHwHj0yVgOOVinHuCN0Tv2m5g7EDum0KypCkCgS43IhS/rUO50biUU9H+v5mIAf:4AyrgCNkun7EZ3uBIhErX6mPeJACsxh
Score

10^/10

formbook o62s agilenet discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Deletes itself
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooko62sagilenetdiscoverypersistenceratspywarestealertrojan

behavioral2

formbooko62sagilenetdiscoverypersistenceratspywarestealertrojan