formbook | 5892d1fe3e67e8ade32c2ca211796974e7e58c1493a242d0cb92fc651201de91 | Triage

Sharing

General

Target

JaffaCakes118_5892d1fe3e67e8ade32c2ca211796974e7e58c1493a242d0cb92fc651201de91
Size

639KB
Sample

241224-m4vvaswjcz
MD5

72a621c513afebc9b58cfc6cdb060b2e
SHA1

10b69743638e8bd718e11f13e50a004ff52346b7
SHA256

5892d1fe3e67e8ade32c2ca211796974e7e58c1493a242d0cb92fc651201de91
SHA512

cf3e5d9504cbf5781c5d12fc0f6be657ea0ddd3ca24ab488781817bd691c52328fe21af518c6f85324d64263fa2e4d6571ea2ec6e4cfd127ced9db83a0e6a12b
SSDEEP

12288:6/2/xY0azWwzP15I92+nCD/SG0weKi6v2OdigMh3ly5OU1nF6phtZfvAIs/CPkZ5:6v0uVzN5dD9emuOd7MXuD1nF67IIs/CM

Score

10^/10

formbook gs25 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gs25

Decoy

real-food.store

marketdatalibrary.com

jolidens.space

ydental.info

tattoosbyjayinked.com

buytradesellpei.com

61983.xyz

identitysolver.xyz

mgfang.com

teizer.one

staychillax.com

ylanzarote.com

workte.net

maukigato.shop

coolbag.site

btya1r.com

dkhaohao.shop

zugaro.xyz

boon168.com

xn--80aeegahlwtdkp.com

Targets

- Target
  
  ТӨЛЕМ ДӘЛЕЛДІ.exe
- Size
  
  1.0MB
- MD5
  
  ca855d522883a77e22f3c512c74540cf
- SHA1
  
  4dccebbf55ed8db1b5c343fe632cc857ff18c312
- SHA256
  
  61a82b8dc50c7afd24dae16dbb34d0e03dcc46ad5c6ee66545ce49f30a25aa2d
- SHA512
  
  670cd34b43c18ee4237b35e3dda05aaf46f79c9bb8431fb2195153a5772521a7b8351a948c6d0c9b63d6a99636ca9eea64606f4c118f8dce462a0116e824542f
- SSDEEP
  
  12288:SJf32iNHK4HTNNs+00yMSVhoHkumou4WhGW5Rhz9YOsHCp6Dg6XZdnNYEbS8DJN:SJf31bty3Vj/phGe3z9YOsHCWL3D
Score

10^/10

formbook gs25 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookgs25discoveryexecutionratspywarestealertrojan

behavioral2

formbookgs25discoveryexecutionratspywarestealertrojan