formbook | 26be7920db544b00db0129fa02a23b74778b0a3cefef50196d44e2fc9903d73f | Triage

Sharing

General

Target

JaffaCakes118_26be7920db544b00db0129fa02a23b74778b0a3cefef50196d44e2fc9903d73f
Size

2.2MB
Sample

241221-zknm4ayrb1
MD5

f912c0b2ca12c4e071a85a69d9c61b4f
SHA1

22334024045517761cbe12001233d212ba45aaf9
SHA256

26be7920db544b00db0129fa02a23b74778b0a3cefef50196d44e2fc9903d73f
SHA512

c352e8d718d1984b60483f7d300b58ad6386c2f2d8f7669ed1303677ac27c15cc3dd259d2b1907493407e39aad732af75a9d12b996226545e7d9c5ee7a9cbce7
SSDEEP

49152:F2FmrCuwlUayISIY/oXT+Bb1bA0TSa3YhylTyy8aMmfVs0:47uhcYwC19TfY05jX

Score

10^/10

formbook nurs discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nurs

Decoy

caixinhascomcarinho.com

abinotools.com

oporto-tours.com

iruos.com

yesmamawinebar.com

wwwscu.com

habit2impact.com

antigenresearch.com

ux4space.com

diarypisces.com

cryptopers.com

lovingmoreband.com

beerwars.net

ascariproject.site

livesoccerhd.info

bluestardivingschool.com

pluik.com

snorrky.space

lcoi9.com

phantomxr.com

Targets

- Target
  
  53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03.exe
- Size
  
  2.2MB
- MD5
  
  ba353539a8f310d60005f004fb94e24f
- SHA1
  
  ca7006f2345678b15cdaa3fd0e70ec6d05862930
- SHA256
  
  53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03
- SHA512
  
  1e1e14b2f00253cb3df5dbe134240d9974992911b9494a620944c9d8036dcf4da14acace197524ccd13826a097c2ad5fe6f441bb46cbaa860b1512279401442a
- SSDEEP
  
  24576:5Mq5HYOYUAm1yHBTjstd5nr6rn9VCZvlB1DfA+D0EdPrxPkMN0V9khzb+xHBmN+B:P5DTVYBTKYn9VuvlDjZdhN0T0zbmENn
Score

10^/10

discovery persistence formbook nurs rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

formbooknursdiscoverypersistenceratspywarestealertrojan