formbook | df8b0772860e56938078f92e437d4c04ff34808f40837e249b85af1ffb4dee4b | Triage

Sharing

General

Target

3f332ec29d9e058eb1c0e296b04b2518_JaffaCakes118
Size

867KB
Sample

241013-ly5lwavfnq
MD5

3f332ec29d9e058eb1c0e296b04b2518
SHA1

aa4d9429a1f410beb085f86fa4a5f516f99f6a8b
SHA256

df8b0772860e56938078f92e437d4c04ff34808f40837e249b85af1ffb4dee4b
SHA512

87037bf33969bded6e7e245dfe28edb3f2f1b57ea56b7071957157c2c16fbf4005a68dc198b336c751e346931e479a12f5dc1878b583e4e227a47d93d0700c79
SSDEEP

12288:RupVlyZLmQFafwiXjsDB2ZRgQtuyXnEs0YLEjK101Z/jit2NjFxOH+l:RuHWLlFcwkefdtyLE3DjiMNje

Score

10^/10

formbook m3uc discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m3uc

Decoy

biostaticenergy.com

sociofy.media

prscan.com

sendsolution.info

four-three-technologies.com

xporntubesex.com

parisanavidi.com

eesegismundopereira.com

coursecamponline.com

arieconsulting.com

kateheneghan.com

techein.com

automotivesemltd.com

michellag.com

missionpossibletvshow.com

luxuryhomereno.com

borderlessnomads.com

regulus5.xyz

thursdayny.com

meditationmultiverse.com

Targets

- Target
  
  3f332ec29d9e058eb1c0e296b04b2518_JaffaCakes118
- Size
  
  867KB
- MD5
  
  3f332ec29d9e058eb1c0e296b04b2518
- SHA1
  
  aa4d9429a1f410beb085f86fa4a5f516f99f6a8b
- SHA256
  
  df8b0772860e56938078f92e437d4c04ff34808f40837e249b85af1ffb4dee4b
- SHA512
  
  87037bf33969bded6e7e245dfe28edb3f2f1b57ea56b7071957157c2c16fbf4005a68dc198b336c751e346931e479a12f5dc1878b583e4e227a47d93d0700c79
- SSDEEP
  
  12288:RupVlyZLmQFafwiXjsDB2ZRgQtuyXnEs0YLEjK101Z/jit2NjFxOH+l:RuHWLlFcwkefdtyLE3DjiMNje
Score

10^/10

formbook m3uc discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookm3ucdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookm3ucdiscoveryexecutionratspywarestealertrojan