formbook | f9589f810b0a61d3fb5643856b3feb56b7710a309fbe0eab29f1f7a7cd74f928 | Triage

Sharing

General

Target

db6d3cab6ab5c0c2e324c6615ac15271_JaffaCakes118
Size

946KB
Sample

240911-3m1xzszcjg
MD5

db6d3cab6ab5c0c2e324c6615ac15271
SHA1

ec26b25a98165a97442c53f197cc5bcd9c424b23
SHA256

f9589f810b0a61d3fb5643856b3feb56b7710a309fbe0eab29f1f7a7cd74f928
SHA512

b9dbb72d4426c0db8db93347f90b22d0dee014de947ef57bdf9f0bb2d677080aefcbd166ef93e249d5239cba857ba831478a6b8479e6bf4a4141c2b42a5a880f
SSDEEP

12288:qIQZ0whoMbKAn6wRt+50pt78pUC8an8pUC8afgQe0MvU8OWD4EvjsVklCl3H6qwc:pWoMbKK3Z8N8xRe0MvzH4E4VkClX0ha

Score

10^/10

formbook bft discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bft

Decoy

edenicities.com

buntingfordhomeservices.com

nuanceproducoes.com

divasinspire.com

capiturn.com

zbjsn.com

thegioicaytrongnha.com

featherventure.com

onbrandtrading.com

sanguoban.com

doorman.pro

ourhomie.net

iwassickonholiday.com

mrcskin.com

reallycoolmask.com

tkrbeautyinstitut.com

keytomiami.com

sesliduybeni.com

asherwebber.com

starkweatherwindows.net

Targets

- Target
  
  db6d3cab6ab5c0c2e324c6615ac15271_JaffaCakes118
- Size
  
  946KB
- MD5
  
  db6d3cab6ab5c0c2e324c6615ac15271
- SHA1
  
  ec26b25a98165a97442c53f197cc5bcd9c424b23
- SHA256
  
  f9589f810b0a61d3fb5643856b3feb56b7710a309fbe0eab29f1f7a7cd74f928
- SHA512
  
  b9dbb72d4426c0db8db93347f90b22d0dee014de947ef57bdf9f0bb2d677080aefcbd166ef93e249d5239cba857ba831478a6b8479e6bf4a4141c2b42a5a880f
- SSDEEP
  
  12288:qIQZ0whoMbKAn6wRt+50pt78pUC8an8pUC8afgQe0MvU8OWD4EvjsVklCl3H6qwc:pWoMbKK3Z8N8xRe0MvzH4E4VkClX0ha
Score

10^/10

formbook bft discovery rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbftdiscoveryratspywarestealertrojan

behavioral2

formbookbftdiscoveryratspywarestealertrojan