formbook | 968217dc7ec661ccf8ed591f1e45815502ef082b4c16eb6da0daa4f24698a0e3 | Triage

Sharing

General

Target

JaffaCakes118_968217dc7ec661ccf8ed591f1e45815502ef082b4c16eb6da0daa4f24698a0e3
Size

695KB
Sample

241224-1jyx4sxrgx
MD5

26e868a0ae0a0af38d9e9baf73d05dbe
SHA1

f9121720fd1492e073377cf92665ba30e48f7d79
SHA256

968217dc7ec661ccf8ed591f1e45815502ef082b4c16eb6da0daa4f24698a0e3
SHA512

a1c5d359ecd3647f596f80d885e2c5935bba2873204b0df99d3beb4360385ce14461863fa257cfb9bdaf6c7e58150fdd6251c1a530bbe5f37e1eb833ee3e3921
SSDEEP

12288:H4LHMe56fGzO8VyuGpk+HHSwEMzix6VAJYosAqVc9ldCOoklH77:YLgGzZyTpkSHnz+3JYNOpf

Score

10^/10

formbook cp5 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cp5

Decoy

glcpunix.com

marabierta-coaching.com

osrs-remastered.com

lineagehealthxwellness.com

dunyadagezilecekyerler.com

negociosyfinanzasfaciles.com

bifa510.com

houseofutamasa.com

dopeneeds.com

sailacc.com

thewindgallery.com

elvinrisky.com

flowersassistedliving.com

lzbnwy.com

mrpentester.com

joinmytradingteam.com

jasabuatvisa.com

meherunnessa-foundation.com

notyourtypicaljocks.com

lobo-sports.com

Targets

- Target
  
  RBIDFTCRADVICE_21012814480386259994,pdf.exe
- Size
  
  1.0MB
- MD5
  
  192241c16894f7c1a1f74ae037807bbb
- SHA1
  
  f4089d984924a4bd5dfd4c72190043d23de24706
- SHA256
  
  a9989788c3001149521eb7c42b65c8bffedb52efb1f6e4e08e001b3fe3af90e4
- SHA512
  
  bc20dbf398c02dc33fb097db57b51ec202bc0753700df3109518ff4ece2205ea6677f11153cbb562e4b42db45ba373ef1afc6123e2c540a016d9897c0a3182b3
- SSDEEP
  
  24576:Wsw4pC6wOo3Jy+p5Cf0+xv7yICOAXr4hT:Wsw4pC6w73pKH7yICO/T
Score

10^/10

formbook cp5 discovery rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- CustAttr .NET packer
  Detects CustAttr .NET packer in memory.
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcp5discoveryratspywarestealertrojan

behavioral2

formbookcp5discoveryratspywarestealertrojan