formbook | 4360b21f0e98b3bebd80d53de298f9bf9e59e33f20b80ff9a168633ae36e8b8a | Triage

Sharing

General

Target

29122024_0256_27122024_PO_AM-0004R_ADH92887762678.rar
Size

667KB
Sample

241229-dkx1wa1jhk
MD5

232e05304658849481b70d7538d417e1
SHA1

03b96001c85699a0b4567b2d6b331e1dfd23f627
SHA256

4360b21f0e98b3bebd80d53de298f9bf9e59e33f20b80ff9a168633ae36e8b8a
SHA512

e22cf04f9d8efb7364ce5b50948050cb819b4a355300ff50e7c8b448ab8e8046660f3febfb8a0201b3c2654762a4ae8e4c4e02e1160267f7c8c75b46007bd440
SSDEEP

12288:6u+R2DfGfbWnDil0JTLjikr2FVYtE+yxNhBOgnx8GHQJvPGS03d:6uh8iDEszFr2zoE+GFRnKGwFOd

Score

10^/10

formbook py25 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

py25

Decoy

ezani.fun

rsteknik.online

200mzeus.digital

5497.one

ragonflyers.biz

rome.photos

2142.vip

ise-en-mots.net

tickmangifts.store

thostransporteselogistica.shop

utomation-tools-36376.bond

okyo-tax-expert-459376580.today

azettellm.school

aafarzaneh-emer6.rest

aakoub-mc.xyz

linko-es-playmarket.store

ohr.xyz

ejic.online

iwagarden.net

ealip.net

Targets

- Target
  
  PO_AM-0004R_ADH92887762678.exe
- Size
  
  875KB
- MD5
  
  dc8de56aa173d952bc2c69d40543e119
- SHA1
  
  0a666bec9a6d737bd419c7922350c4939d7a9f94
- SHA256
  
  1aeeef34e64b6b0fa042ae3e9744a227281e9512036461831867fcf531e27a73
- SHA512
  
  302af0dab3330d4c59942be62c564a9d9d63d093d5c060db5dd135f2b56467a09d5d23fd65985de287ba07ff4bb4b7e1ddc185bcb43c1a1b9680488df08bbb32
- SSDEEP
  
  12288:Kk0IaOq+AlnC9Rsy9Ii+iNqsdYy/OBe/Vg95njib9aofSc8L:KuaeYy9Ii+fsay/O8k5u8
Score

10^/10

formbook py25 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookpy25discoveryexecutionratspywarestealertrojan

behavioral2

formbookpy25discoveryexecutionratspywarestealertrojan