formbook | 3b2c92e7d412afc8e5aa4c1faf3d30471425c684703cd61cb97face159dac9ac | Triage

Sharing

General

Target

05693d30a258095b919c382e469e420e_JaffaCakes118
Size

730KB
Sample

241001-l88raatfpn
MD5

05693d30a258095b919c382e469e420e
SHA1

65d317cf88c097b083adc8a1a4258ed35c6336fe
SHA256

3b2c92e7d412afc8e5aa4c1faf3d30471425c684703cd61cb97face159dac9ac
SHA512

53f2c2ffc1e427496e7fd7add8c99ab09bd95472c366c0a1008ce2a5cc3b8d2d61c2782bc22b88b25654328e65b957ebb5ec8ffb2c4a6dc6b250f83703d5b54c
SSDEEP

12288:3BlxN2iNeHK7zY5DczFF++iyFMrVTgOTARMoQboRkmg27mEfoAyRjgJ:3Bl71bMDKb+0FMZ7o6j27mEXyRA

Score

10^/10

formbook owt8 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

owt8

Decoy

globalstainlesssteel.com

bentleymichaels.com

svproductiveparents.com

vikinger.one

kiarabrunett.com

lakelandchiefs.com

kickzcity.com

ceroestrespma.com

torchfarmer.com

angelie26.com

pekinggardenonlineorder.com

brooklynrealtynow.com

makaroniwino.com

wiresncircuits.com

vwealth-archive.com

anfang1718.com

sahaconcierge.com

rctuition.com

premiercovidscreening.com

ryl3inc.com

Targets

- Target
  
  05693d30a258095b919c382e469e420e_JaffaCakes118
- Size
  
  730KB
- MD5
  
  05693d30a258095b919c382e469e420e
- SHA1
  
  65d317cf88c097b083adc8a1a4258ed35c6336fe
- SHA256
  
  3b2c92e7d412afc8e5aa4c1faf3d30471425c684703cd61cb97face159dac9ac
- SHA512
  
  53f2c2ffc1e427496e7fd7add8c99ab09bd95472c366c0a1008ce2a5cc3b8d2d61c2782bc22b88b25654328e65b957ebb5ec8ffb2c4a6dc6b250f83703d5b54c
- SSDEEP
  
  12288:3BlxN2iNeHK7zY5DczFF++iyFMrVTgOTARMoQboRkmg27mEfoAyRjgJ:3Bl71bMDKb+0FMZ7o6j27mEXyRA
Score

10^/10

formbook owt8 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookowt8discoveryexecutionratspywarestealertrojan

behavioral2

formbookowt8discoveryexecutionratspywarestealertrojan