formbook | 17f434832687e50e1f8ee2a1bd261ce4f37615f5486d260409670394942d19c5 | Triage

Sharing

General

Target

JaffaCakes118_17f434832687e50e1f8ee2a1bd261ce4f37615f5486d260409670394942d19c5
Size

691KB
Sample

241224-dbr39szmet
MD5

0e5b16069d90c6402977c877102a8dda
SHA1

d6381dfebd4cbcb7aeacca77159ce6b292a05583
SHA256

17f434832687e50e1f8ee2a1bd261ce4f37615f5486d260409670394942d19c5
SHA512

bde448754a3e48469af9a3899408d041d17106ecdfc94dc5a91bff5e0f8c337ed52c5079cfa70f7b39f57a6dacec8cd1c3fe9e0b1e4ce9276ee916451566664e
SSDEEP

12288:4/Xx6QrT0Lxjs4QJlmdcbTM2mVu+wRYOOBO767uz47HXo2sl6FzV9aek:uXxprT0JsJl8KTqVpZFBO7VErDslazHO

Score

10^/10

formbook m25m discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m25m

Decoy

vcinteriordesign.net

wahl.technology

howty.online

merakitaj.com

linklist.host

chengyumeta.com

thescottishtenors.com

fatima-alzaidani.com

darktealfox.com

yunyusuo.com

nftqueen.store

china-xlxh.com

bestvetcbd.com

sailjiu.com

leenings.net

proveedorampsxxi.com

survivingsilver.com

pyramidsupports.com

ftacjh0bx.online

tinthuongvang2021.com

Targets

- Target
  
  QUOTE 07022022.exe
- Size
  
  805KB
- MD5
  
  82e82e8e5dee51606502d3a124022be3
- SHA1
  
  5817dd722396876e744cc011a52ecf9d95545474
- SHA256
  
  c1b340618f246ec98f4f1c891b2fe2a1d8708c1710a567a0b0fb811add67b75b
- SHA512
  
  30bd3d6235eafc357c34f5c62e1c9e6e3cfb5467d434006bf8c14d9a83aa2e698c00c8f1805bc8f2cf0bb55ebd41637642154b571d2a6c8e943f999469677577
- SSDEEP
  
  12288:4uzMPvhqL9pYgcHzLxK0mB9Ee7ZtX97Cv8/YbtMQBMGJj6knVRpl2ussRI07dVwy:4uihoP0Lx8Ce7F73/YqQaPknzp9sWI
Score

10^/10

formbook m25m discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookm25mdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookm25mdiscoveryexecutionratspywarestealertrojan