formbook | b1f9b3ef3e6192490d6ff9f23f8b360edf2c5b7722a2ba843d1ece24c2f990ce | Triage

Sharing

General

Target

JaffaCakes118_b1f9b3ef3e6192490d6ff9f23f8b360edf2c5b7722a2ba843d1ece24c2f990ce
Size

398KB
Sample

241222-em1efsspfw
MD5

dc59326f792e6e4009c04267705eff46
SHA1

15721184548bda3c016d38279006583b3515c8d9
SHA256

b1f9b3ef3e6192490d6ff9f23f8b360edf2c5b7722a2ba843d1ece24c2f990ce
SHA512

a3973af574081beea4eea70a6a82b392cf44a5700cb8811677231809127a1658a8b76c97dbbe0a3f89522b37e7e1d650ec745ddd683bd4cc80f05d673ec226fd
SSDEEP

12288:HofT3wjWjs75FwFPIMqsBO8V9XosQPhllWhaUXnNHa8+I9a:y31s75FwMsBHV9Y3heXN0

Score

10^/10

formbook ksb discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ksb

Decoy

rbscotl.net

mimascota10.com

ncylis.com

mariemdonacosmetics.com

elitecleaningnow.com

stockvisioner.com

whatsmodish.com

paghaze.com

weargoodsport.com

alesspace.com

rajputboarding.com

ctezna.site

athetheist.com

neurologistaandreialamberti.com

pindaz.com

ericsklavos.com

icare4me.com

xn--pypl-qoac.com

52swith.com

chetansenterprises.com

Targets

- Target
  
  Project 88399287990.exe
- Size
  
  622KB
- MD5
  
  3837485b707ee00ae594d8b339c56ece
- SHA1
  
  df8dab1ca8581cdf2c8de899d0d4a8df8ca8d24c
- SHA256
  
  71ef3a1c1b5deecad87d419dff14667503ffbfb7f5a16f5b53eda57ae33bde7b
- SHA512
  
  6a243b10b4e556d4cf6c95f5f7d534f0ec8bd32f6cb5c153abfbdf2dcaa04c6adcb122a42cccb882cee90c98b6d50fc04bb9355f0de7a82a27e615ae10c39ba6
- SSDEEP
  
  6144:UJ4uZ9l5FllawMqFj/02XzSlGDQNo/vSx2oJrZKhCuKEB96MFZN+4RSOKQm0umL:UJ4up5UwMqFjjU3QMVtuKEn6qq4I
Score

10^/10

formbook ksb discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookksbdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookksbdiscoveryexecutionratspywarestealertrojan