formbook | ed5c55e1ce4b681af404a573caf768de0a8c2dad822687a16333d9ba23b68c97 | Triage

Sharing

General

Target

JaffaCakes118_ed5c55e1ce4b681af404a573caf768de0a8c2dad822687a16333d9ba23b68c97
Size

890KB
Sample

241222-ylj6maxkey
MD5

da2f7185d8e71c47c361eaeb8587bdc0
SHA1

754ba8d18ca0cc22f894d6355533bdaa711348d4
SHA256

ed5c55e1ce4b681af404a573caf768de0a8c2dad822687a16333d9ba23b68c97
SHA512

00568b628fce64d30b7e4f2ed8f343b35470840bcb10a11a26327112e774906c5b6d63ddc1ea30f964a8f8878989787a424ca95b2cd1d0dd4cc9ea15cda7c4a6
SSDEEP

24576:Xva5D8rZQx/D3XOg+WYqX+WGSkG97RT2k/bwyUNFy:Xy5D8q/D3XOpY6QuS8yUNFy

Score

10^/10

formbook qcr9 discovery rat spyware stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

formbook

Campaign

qcr9

Decoy

Zk2VuT0awFchUJhLp4MS5oLSBcwU

NMvejbmdPn1uoAC9

IRUGwmzjqclXNHPmXWaSNm8w5fFOQMo=

/o6UUIZ9O14oYmy4

oRJSLVVEUn4N

7hEdy1Fa4EIRUqd4y2myftij4w==

lbS2c/H3t89F3+erG4s=

dUmEPGSnWX4MB0dJL4U=

aK0ILCtJRxsoYmy4

KnfB6uhoMLiQ8zqh

A4fvFjER+VQoYmy4

LAtVhC+AM1rl7W1EHjbJdf9484RHgA==

N22bvcNIAg3wzTav

SXCrx+C1cQnN+TQzYotwBy4=

ZfsOtdXHnaBBjA==

NqrplSV6IXd7WNg=

y2FVFTq1L2D86i9IWZw=

tgVWf4TdSXQJ7i9IWZw=

QWxmAlr5okA=

jT92xFr5okA=

Targets

- Target
  
  ac460b302c16f19eeec5b41c280b9cf10dbbf3f482f507db645533e3d0770cd2.xll
- Size
  
  1.1MB
- MD5
  
  ac661f69d93e92d2e273093a354c4278
- SHA1
  
  1815742d1bcea898864642844d273a7df1e82ec0
- SHA256
  
  ac460b302c16f19eeec5b41c280b9cf10dbbf3f482f507db645533e3d0770cd2
- SHA512
  
  a421c81251cbc44a387eecde547b6987b5e677471ac78d1622379820aa9b67e47309a29272eddf88a645d1468c50a41ffe4274d888466f97cf067970678abf11
- SSDEEP
  
  24576:Fz7GHAzH7jX1mFxOf/yixzM8dTOzkrIcftfhGKc:FzCHIIFxOHyixgKOzkff
Score

10^/10

discovery formbook qcr9 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookqcr9discoveryratspywarestealertrojan