formbook

General

Target

Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exe
Size

628KB
Sample

240621-rjed2atana
MD5

6b799c2e76b37bf96ef35ba8580f0bfc
SHA1

b710a5aa6385f9424c37c944ef27d10ef99df97f
SHA256

e10280c91dc1fb46756d9473163eec9052b8c8a352955d0f21a24246da054ba2
SHA512

3d24d60ddf69dfe6c6124df627dadcb833d8339e59b446cf44a9ecf222d36e58e3d222c8b8f1937554236a0d6121d3fb0d423160ea473a5cd412c8aecac92823
SSDEEP

12288:3fGyCK2xrOonraIEGL78bDS8k67E7KJIojZKBZnU02gvPQ3WEF00QiHM:uyC5raI9L+DS8jkoVgT2KPQ3B9

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pz12

Decoy

paucanyes.com

autonwheels.com

cowboysandcaviarbar.com

fitnessengineeredworkouts.com

nuevobajonfavorito.com

dflx8.com

rothability.com

sxybet88.com

onesource.live

brenjitu1904.com

airdrop-zero1labs.com

guangdongqiangzhetc.com

apartments-for-rent-72254.bond

ombak99.lol

qqfoodsolutions.com

kyyzz.com

thepicklematch.com

ainth.com

missorris.com

gabbygomez.com

Targets

- Target
  
  Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exe
- Size
  
  628KB
- MD5
  
  6b799c2e76b37bf96ef35ba8580f0bfc
- SHA1
  
  b710a5aa6385f9424c37c944ef27d10ef99df97f
- SHA256
  
  e10280c91dc1fb46756d9473163eec9052b8c8a352955d0f21a24246da054ba2
- SHA512
  
  3d24d60ddf69dfe6c6124df627dadcb833d8339e59b446cf44a9ecf222d36e58e3d222c8b8f1937554236a0d6121d3fb0d423160ea473a5cd412c8aecac92823
- SSDEEP
  
  12288:3fGyCK2xrOonraIEGL78bDS8k67E7KJIojZKBZnU02gvPQ3WEF00QiHM:uyC5raI9L+DS8jkoVgT2KPQ3B9
Score

10^/10

formbook pz12 execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2