formbook | 3efbe773ae918a1822817829ea7d185cf7fca9397ad2cb2cf826935a073b90ab | Triage

Sharing

General

Target

JaffaCakes118_3efbe773ae918a1822817829ea7d185cf7fca9397ad2cb2cf826935a073b90ab
Size

746KB
Sample

241221-zm5pdsyrhs
MD5

dad5a0f45d27e34762f503e5fee29cc2
SHA1

6f1f1a48e639afa7f12d94c8bc09b154fa2b8e56
SHA256

3efbe773ae918a1822817829ea7d185cf7fca9397ad2cb2cf826935a073b90ab
SHA512

a48f4dbb7dbd204f29e122f18d3a43c125c5a668de48da3a75a14cc97a49e52ac624abd6debc81990135a7a59f06ab3f728b062e2b9b605fc767609acff6e056
SSDEEP

12288:UwbXF2lWCHZJVlH4ZL8vsm8HMWDZu1bk36Y69sEaPh7XQ/P8lZ5gkyNGMRB/GMOA:jbXFFQJqnmUw1bkMsE+lX88OggM5ctDb

Score

10^/10

formbook t36t discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t36t

Decoy

klinkspremiumwildlife.com

teto-store.com

minneapolistaxattorney.net

zgomc7.com

invest-nj.xyz

uinnou.com

addtr.online

hollydays.online

fearurself.com

balaaconstruction.com

myyacht.rentals

hstonme.xyz

51junt.com

sidagj.com

weelilfellas.com

mroadholdings.com

torontomillwork.com

gonks.shop

jupefeeds.online

drpmb.com

Targets

- Target
  
  22a0ce1fbf304b11510e89f1db8124bf84c59049c919c7b6bbce222db99bf014.exe
- Size
  
  915KB
- MD5
  
  043bdeffd5a49926947bb5da9ffafd2b
- SHA1
  
  962ea1a4c285d1788b01b82ecada92029562c107
- SHA256
  
  22a0ce1fbf304b11510e89f1db8124bf84c59049c919c7b6bbce222db99bf014
- SHA512
  
  d3769e2042754b32c9b7df1e6bf313f9bb59a4489f65e87720e21a97a84b246202af6f989a00490f6bf348f67d4ec65732e3d922909cf45381ffb582922c2638
- SSDEEP
  
  12288:cgSKO12iNPwrP4QZd335766Hav0LAxij1Zk3YJQRu6BqxVdaueP/7B5XH:cga11hwrP4Kd33Ax0RmYJX6UjXePTrX
Score

10^/10

formbook t36t discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookt36tdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookt36tdiscoveryexecutionratspywarestealertrojan