formbook | 5655f9615a49ab7877631aa1ecd344300c5bc68794d70082232b644219fd48e0 | Triage

Sharing

General

Target

JaffaCakes118_5655f9615a49ab7877631aa1ecd344300c5bc68794d70082232b644219fd48e0
Size

988KB
Sample

241224-v2ygeasqct
MD5

38b04f67ca549fb1fc65f5061040060e
SHA1

9c6a05ae4d2cf5ae678028e86d1bede41f627a43
SHA256

5655f9615a49ab7877631aa1ecd344300c5bc68794d70082232b644219fd48e0
SHA512

30e779abfc67e32815d1c42342355c93ee1e818cc62638f366a34371425c6623475beb6c74a2bf4672481c69a24999ef37d539498056eb1d1a19938403705dc0
SSDEEP

24576:C4K92Ob3/SWMLXa/bc3QX4YhaFoW3iIm5GyQXtwwM9C0CEsHlUOX6O9Wv4:CtzbKHLXa/g36fSosiIsxUCdC/DWOXxF

Score

10^/10

formbook d2g7 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d2g7

Decoy

inviteonlyme.com

noashopping.com

raysyoutube.com

chicagp.com

brnguatemala.com

speechboutique.com

philippinepodcastdirectory.com

konnecio.com

9q1ng6.icu

treez.info

appleiclou.com

pettras.com

txherz.icu

freearcae.com

mindpetalsoftwaresolutions.com

my-beautiful-switzerland.com

hpzebike.online

fadsekclub.xyz

newcastledhaka.com

varidsk.com

Targets

- Target
  
  T?cili Sifari?.exe
- Size
  
  1.0MB
- MD5
  
  102a540303ec7665687ee20c6a6f3829
- SHA1
  
  dc5b7f0a3a72215e0fb574ffae9dc1ca80d8394f
- SHA256
  
  77de2fa49e24c93e217088285cfcc816cf7ae40928898dc3e88c0d6a67a31c80
- SHA512
  
  887c9e35701b2a8d53a5973f423b10f6c4312d112fa77ee64453f43a451b5f34449f4e0cb7c5974efc73a3621ad1fdd43f7b88ec34834c6bced162364cd6a5b2
- SSDEEP
  
  24576:4Vr94W+fAEY/PyVvoieXaM0GGbr2lmmY0tVe68euC/:4VR4DfAlGoibM0G8tmls680
Score

10^/10

formbook d2g7 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookd2g7discoveryexecutionratspywarestealertrojan

behavioral2

formbookd2g7discoveryexecutionratspywarestealertrojan