formbook | 72b5d68d6c8950e772883b8f387299c41af00d127279bdd485e7df876a8d1cc7 | Triage

Sharing

General

Target

f11bb81e041a91db95a1926039272956_JaffaCakes118
Size

394KB
Sample

240922-c13evsyalb
MD5

f11bb81e041a91db95a1926039272956
SHA1

c05e2cb8ada2322627e38ddc765a0e6b7c217126
SHA256

72b5d68d6c8950e772883b8f387299c41af00d127279bdd485e7df876a8d1cc7
SHA512

665de91837995a7fb7d84dcfbd7448275112f06223c726579b8f7102b675d1961a08c8dadf39fde4dfbb81e179606ff164a9aeb30e6916c3fed3fceec08af863
SSDEEP

6144:gtstdQ+3HwOC8gAmWJ1TpRToN/5wRT1kGNvstnPvWGpfD5LGJ0Sce0:VWoC8+M1rUNhwf2PV1aJvc/

Score

10^/10

formbook c6ns discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c6ns

Decoy

yourherewellness.com

programing.biz

vupay.xyz

adultsexystory.com

mhealthylifestyles.com

lakelanddumpsterrental.net

cashforcarsguru.com

kibbiobank.com

clothingeeff.com

i1is165h.xyz

savingspilots.com

jyano.icu

courageouspeace.com

hypematter.online

lshoxnux3p.com

momatra.com

1orangemail.com

rollerderbyfinland.com

marathonmindsetcollective.com

theblessingscourse.com

Targets

- Target
  
  f11bb81e041a91db95a1926039272956_JaffaCakes118
- Size
  
  394KB
- MD5
  
  f11bb81e041a91db95a1926039272956
- SHA1
  
  c05e2cb8ada2322627e38ddc765a0e6b7c217126
- SHA256
  
  72b5d68d6c8950e772883b8f387299c41af00d127279bdd485e7df876a8d1cc7
- SHA512
  
  665de91837995a7fb7d84dcfbd7448275112f06223c726579b8f7102b675d1961a08c8dadf39fde4dfbb81e179606ff164a9aeb30e6916c3fed3fceec08af863
- SSDEEP
  
  6144:gtstdQ+3HwOC8gAmWJ1TpRToN/5wRT1kGNvstnPvWGpfD5LGJ0Sce0:VWoC8+M1rUNhwf2PV1aJvc/
Score

10^/10

formbook c6ns discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookc6nsdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookc6nsdiscoveryexecutionratspywarestealertrojan