formbook | f23a4109022b07435c73f2f5e29770e87cdda4ef2a77c8b978a2b089399ea903 | Triage

Sharing

General

Target

0c2b1eeac25a832ce077154cf58b8ffd_JaffaCakes118
Size

909KB
Sample

241002-x7tfrasglk
MD5

0c2b1eeac25a832ce077154cf58b8ffd
SHA1

b6c42b104518cd63b967edbffe1c25187fa7d9f3
SHA256

f23a4109022b07435c73f2f5e29770e87cdda4ef2a77c8b978a2b089399ea903
SHA512

93622b34856b3aaf16967fac2dd53f388ebf1de5096a8b30a5a19ba76ec7f907b72aa80d9f6eb498f6162cff1f8d5cb8f5f532c0d745af0f6f761ac350d7233a
SSDEEP

12288:taWK2n3qGaNHEyC9/oR9gy5FHK7zj40FvGFrE4trCdBdWSQZ3+ybEwcjpg+OzRV6:tnKePp9AR95yX40F8rC1K1Fc9QVixIO

Score

10^/10

formbook o4ms discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o4ms

Decoy

fishingboatpub.com

trebor72.com

qualitycleanaustralia.com

amphilykenyx.com

jayte90.net

alveegrace.com

le-fleursoleil.com

volumoffer.com

businessbookwriters.com

alpin-art.com

firsttastetogo.com

catofc.com

ref-290.com

sbo2008.com

fortlauderdaleelevators.com

shanghaiyalian.com

majestybags.com

afcerd.com

myceliated.com

ls0a.com

Targets

- Target
  
  0c2b1eeac25a832ce077154cf58b8ffd_JaffaCakes118
- Size
  
  909KB
- MD5
  
  0c2b1eeac25a832ce077154cf58b8ffd
- SHA1
  
  b6c42b104518cd63b967edbffe1c25187fa7d9f3
- SHA256
  
  f23a4109022b07435c73f2f5e29770e87cdda4ef2a77c8b978a2b089399ea903
- SHA512
  
  93622b34856b3aaf16967fac2dd53f388ebf1de5096a8b30a5a19ba76ec7f907b72aa80d9f6eb498f6162cff1f8d5cb8f5f532c0d745af0f6f761ac350d7233a
- SSDEEP
  
  12288:taWK2n3qGaNHEyC9/oR9gy5FHK7zj40FvGFrE4trCdBdWSQZ3+ybEwcjpg+OzRV6:tnKePp9AR95yX40F8rC1K1Fc9QVixIO
Score

10^/10

formbook o4ms discovery rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooko4msdiscoveryratspywarestealertrojan

behavioral2

formbooko4msdiscoveryratspywarestealertrojan