formbook | bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44 | Triage

Sharing

General

Target

aeb64eb2a6f01a3102aa9b4d8e6ec148_JaffaCakes118
Size

421KB
Sample

241129-eeah3ayrgq
MD5

aeb64eb2a6f01a3102aa9b4d8e6ec148
SHA1

c3841970b7fd0e3cb1deb6422423d3a86da793f0
SHA256

bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44
SHA512

aa74a13b01084c7175c179f823b9e35f6688a7bb5dfc320ca4c054139e9eb2c3cabc08fee60853899c03997dd6c295619f0427523afdbf979897db1ab7ec2f10
SSDEEP

6144:0qWlspsQw0xAcNMoFE9yaUThi3vpV7KyQiMDga0O3kRDpqpF24BwOjx5heO:HWlDl0UqXc7KyUDN0UYDpQFz3jxv

Score

10^/10

formbook cg53 discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cg53

Decoy

sugarlushcosmetic.com

a2net.info

ximakaya.com

thevochick.com

khafto.com

zsgpbgsbh.icu

psm-gen.com

jhxhotei.com

7991899.com

nda.today

fourseasonsvanlines.com

splediferous.info

thesqlgoth.com

newpathequine.com

advan.digital

skamanderboats.com

thejnit.com

pardusarms.net

mevasoluciones.com

biggdogg5n2.com

Targets

- Target
  
  aeb64eb2a6f01a3102aa9b4d8e6ec148_JaffaCakes118
- Size
  
  421KB
- MD5
  
  aeb64eb2a6f01a3102aa9b4d8e6ec148
- SHA1
  
  c3841970b7fd0e3cb1deb6422423d3a86da793f0
- SHA256
  
  bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44
- SHA512
  
  aa74a13b01084c7175c179f823b9e35f6688a7bb5dfc320ca4c054139e9eb2c3cabc08fee60853899c03997dd6c295619f0427523afdbf979897db1ab7ec2f10
- SSDEEP
  
  6144:0qWlspsQw0xAcNMoFE9yaUThi3vpV7KyQiMDga0O3kRDpqpF24BwOjx5heO:HWlDl0UqXc7KyUDN0UYDpQFz3jxv
Score

10^/10

formbook cg53 discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcg53discoverypersistenceratspywarestealertrojan

behavioral2

formbookcg53discoverypersistenceratspywarestealertrojan