formbook

General

Target

6b799c2e76b37bf96ef35ba8580f0bfc.bin
Size

596KB
Sample

240623-cpz6cszckk
MD5

c7b0e757d052a7aa04c161199575927e
SHA1

91b910d0b4cd4f40aea373d05419569af6ef5a51
SHA256

42eaa1826532b873726fa4cab1494fe973a8b0da2ecc6686245ca0b3312f8f51
SHA512

664a2bdaa9d9e5fa1aac5f12895671cc75bdb510816456ed8e507ddaba9e2d05908d3b992d8888bcfbe64982cf3c18caf85d095aefe3f57e1e192276c8432af9
SSDEEP

12288:HOC6+3uTJOwNhlimP/+I5Ubnrq6xJTSYdbUd5rK4ZJAes:HOk3uTpUmP/+I6zr9JTHdUvrKUJZs

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pz12

Decoy

paucanyes.com

autonwheels.com

cowboysandcaviarbar.com

fitnessengineeredworkouts.com

nuevobajonfavorito.com

dflx8.com

rothability.com

sxybet88.com

onesource.live

brenjitu1904.com

airdrop-zero1labs.com

guangdongqiangzhetc.com

apartments-for-rent-72254.bond

ombak99.lol

qqfoodsolutions.com

kyyzz.com

thepicklematch.com

ainth.com

missorris.com

gabbygomez.com

Targets

- Target
  
  e10280c91dc1fb46756d9473163eec9052b8c8a352955d0f21a24246da054ba2.exe
- Size
  
  628KB
- MD5
  
  6b799c2e76b37bf96ef35ba8580f0bfc
- SHA1
  
  b710a5aa6385f9424c37c944ef27d10ef99df97f
- SHA256
  
  e10280c91dc1fb46756d9473163eec9052b8c8a352955d0f21a24246da054ba2
- SHA512
  
  3d24d60ddf69dfe6c6124df627dadcb833d8339e59b446cf44a9ecf222d36e58e3d222c8b8f1937554236a0d6121d3fb0d423160ea473a5cd412c8aecac92823
- SSDEEP
  
  12288:3fGyCK2xrOonraIEGL78bDS8k67E7KJIojZKBZnU02gvPQ3WEF00QiHM:uyC5raI9L+DS8jkoVgT2KPQ3B9
Score

10^/10

formbook pz12 execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2