formbook | 754ac5383014101cc4f4fc4010c81669fb042b539088a24291b2004ec8a358ac | Triage

Sharing

General

Target

fee5857a24ab46924d75eb6f2f580f70_JaffaCakes118
Size

3.0MB
Sample

240929-tq3rba1cqm
MD5

fee5857a24ab46924d75eb6f2f580f70
SHA1

8a3ff5b105d6e60a25b37c67f780041274dc9b47
SHA256

754ac5383014101cc4f4fc4010c81669fb042b539088a24291b2004ec8a358ac
SHA512

16cd1fe78a9016069672ccebb7d73c1d2857325f2996cbe900915a3ee5e301b940a987f469dfe292beb0ba10800d1a22357aa85ca18ff7c25b06d1000ca6177a
SSDEEP

24576:mL6eB3zXKwvMmhCdzqUCXQ1AixA0RE/awHQEX+7SsnHugyzs19UX/zy67:UBZkTqUCXGR27

Score

10^/10

formbook rzn discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rzn

Decoy

lyeth.net

annatdinh.com

amber-pozzi.com

kalunenterprise.com

knightskysbts.com

drnishamaharaj.com

neverendingbreadsticks.com

asuvac.com

snapbidz.com

autovistoriapredial.net

eskisla.com

fiorej.com

probuscee.com

elysme.com

laizdancefit.com

pet-imports.com

imasshipping.com

greenflagcars.com

essentialoilphotos.com

demolition4us.com

Targets

- Target
  
  HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe
- Size
  
  1.6MB
- MD5
  
  a03c2d4c4885db5f3e8264e2e0523ee9
- SHA1
  
  53d45a80e79d121ec6745cf8816acb7e6598b897
- SHA256
  
  9dbaa66ef9f31c83ab943932bc96eaf2d6e9c1995b427c75e6e9a259f2c91697
- SHA512
  
  6f2ec109bf1e5b96f35d2b8ff1cc8facad31f329adad3486198f5b80ba38e7a17bf6a10d355f770f4b05b16dc1fedacf43afeaecabdfc8d34b8e998e14135433
- SSDEEP
  
  24576:xlUjX00wR9Uqk8qW0gmRR1Gbp0PjcET+v3JR945EIy8o:xKjXMR9UN8lYGbp0P4E6v3Jf4
Score

10^/10

formbook rzn discovery rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookrzndiscoveryratspywarestealertrojan

behavioral2

formbookrzndiscoveryratspywarestealertrojan