formbook | 166fbb921baab1b4280ae9d35aaf9664febccce0029eed19cbecfde83d98e0c2 | Triage

Sharing

General

Target

JaffaCakes118_166fbb921baab1b4280ae9d35aaf9664febccce0029eed19cbecfde83d98e0c2
Size

480KB
Sample

241222-a31b6swmcy
MD5

92f7c6ba25e705e8e73373496308cc43
SHA1

d526242fcca9b55616b53e9cc33ca440e035b8e5
SHA256

166fbb921baab1b4280ae9d35aaf9664febccce0029eed19cbecfde83d98e0c2
SHA512

937cbfecccce9e8dea87e85a8026489b8c7caf1a9a40f287296581f0cc065204a8c43e1537949c48c552a696fa4d628b9b5e8e4230ac7fe1bd81023c0ebee948
SSDEEP

12288:b1dlT2N8DqnNIfwkLkbDzE9LBC+3IxSL5SstgNj3RXR:b1HOuEWIWkra3/L9WJBh

Score

10^/10

formbook cfvc discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

cfvc

Decoy

qFcyI8OAPHKap6ubfQ==

NuOCNnr/zOqy1xM5AN4=

CnHfypZMLKQKgKaaVw4J1g==

9WpDFnsiwEyoFko7+GYiyo55

zUKhZPi3f21+ux+L

vqqeiTTPlz+cnQaD

GLGZh9zop+UvsCtBEm9x

eCUGyUEAe9hmj8KgaA==

EvXUn0s63zJyoxQfCGQmMZRu

kVy6iO/FuRGD/A==

+tg0M82KQk7fX4XXoYIluHMEFhbrzMk=

hP/nqutI9DR+0mBnYA==

cwrq1kLJd9QzqtQq9QCc7hHV9FjjKSvU

eE6vlcLHxAHZ7g==

vpKQL84+30y4SZpU/Ox5

vbfnlWZmAj1aVbCdbA==

UNQwEfT8tzbiL3J2Wrjm3g==

02LLqYRY9SeDIHwK5pFjYrg=

PhkLzj8IuT6R7v3lxlBYwqO69HReqnrF

mkYwC5lsF6cDS6RU/Ox5

Targets

- Target
  
  5227918355b47bf8f0cf6eabb0628ff59339d6fd6a3a56ceca4dcefd06dd8d00.exe
- Size
  
  519KB
- MD5
  
  ac506b9b66dfac14f67ca92c679d85bd
- SHA1
  
  bb39da67bac5c77002c3d88e80888786fcd83acd
- SHA256
  
  5227918355b47bf8f0cf6eabb0628ff59339d6fd6a3a56ceca4dcefd06dd8d00
- SHA512
  
  0a92d007ae6331fd4b9fc8f037b9581fb051ba63fefe0b8f1f74f799885875597b53a579e0c6e7273e336b7de3197c3d4ca92ddce3c45bddde25ebb529464834
- SSDEEP
  
  12288:yybs6xoSoNgO7lTPf5aJgGkwuV49WXnX8kp07kyLL1XXMQ+/8+:FNxY3aNkwuV4OqoyLJnMi
Score

10^/10

formbook cfvc discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcfvcdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookcfvcdiscoveryexecutionratspywarestealertrojan