formbook

General

Target

JaffaCakes118_059980318a5d488ba786676204ec494cb5ab0721b50d705899585f81603dc698
Size

463KB
Sample

241224-av26sswqhp
MD5

dc40453e11f0d82bd10a5ad9a200085e
SHA1

0f0c30d6410a01f6a58c7345cae8dd9209765b79
SHA256

059980318a5d488ba786676204ec494cb5ab0721b50d705899585f81603dc698
SHA512

c22b5da49fb93e813b0e6b310c5c9b5649cea73abb35b8adc5f49ed4b80c89c0b747f464a6554a9814bafa346781bab1003cff5d75a8984f3fbd0b94954877f5
SSDEEP

12288:olxr/RJqdPwo1axjipgn7ymOo6sjkbdoHb3SEe:o7DHqwx2pgn7yhiYdoTSEe

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

bnsk

Decoy

9AsW/znAeYpXfCSzqhRFTGCvDg==

et5hNiI54PDQQC/I4nmjTdQWbc+6

bJfAvvqTZ4lgkErlyIp3Dw==

v0ll9N5E/gPcTUXoyIp3Dw==

HbVsl/0LWw1upJLjW4l1

QWmFotYu2pQrhToT+cw=

XJE5nuTJxdan2kk+/eJ9

krnX71nRoryQ2tM+/eJ9

+uFpF0mte3I8l02FRuUJyBtqfKWj

V/gEdE+0gYdi1J83LOKBSHULIHs=

Y4EUcain+4oZeFcA+m9L5CdxQXM=

GMrxaKLIoiyM

lMHmEiYwvnHaOd7315wVsAIN7Q5/2wY=

BgfXnORzfwCNfTvW

FyaIVv94/YvqCAmJ7+piQX6yFg==

fHX7sBijX4KI0c0+/eJ9

4P+jeOtxMEsbQfODnVR2TGCvDg==

EwWofOApn1DsEd5zUg==

k/28CWpPbftMrDB5E2J3TGCvDg==

7OAGFw4frLODrFroyIp3Dw==

Targets

- Target
  
  6ca39f7a18248a826714e89d6cb52e7f952d36d3f3a7be1b96c6a5a39ec4adfb
- Size
  
  642KB
- MD5
  
  d836f401150d3edf804fb32e913cc1ba
- SHA1
  
  b6b96c22be56065a6015fd27eac39cfa33d50848
- SHA256
  
  6ca39f7a18248a826714e89d6cb52e7f952d36d3f3a7be1b96c6a5a39ec4adfb
- SHA512
  
  fcd711df3a7f36f456e9fc6d011c7721a2ddde0d90368737202285350bab3af592e2481e1078cc7aeec7ce79bffb991ce026ce0d4f5ec26d3b713213a9434990
- SSDEEP
  
  12288:kqp3tdo8hIoADb+1AYjnc7AwYjSlylSx1LS+I6+a48P/t22FTrEV9jy+:kK/87Dbujc7AwY2
Score

10^/10

formbook bnsk discovery rat spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Formbook family

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2