formbook | 008eee66fc8358a7cda63d1e33042f3306e853e85864083cb600257a60bd615f | Triage

Sharing

General

Target

JaffaCakes118_008eee66fc8358a7cda63d1e33042f3306e853e85864083cb600257a60bd615f
Size

1.1MB
Sample

241225-a319gasldy
MD5

a74738e3f4004db9775180862d5740ae
SHA1

704fb8a290fb546cbe9bafc9ea0cd3e0f65675c5
SHA256

008eee66fc8358a7cda63d1e33042f3306e853e85864083cb600257a60bd615f
SHA512

2c32c5bce800dcb71f39688c87d083f2b417d95c82d208e96e3a4451b2ef60489493cf7892a17c24e3ee2de10cfca9d3774f9356abb5f5b81a8ba44d56ecab6b
SSDEEP

24576:JMhOIl9kkc2fOVeTk0L/WRtNe5uFp2HBjugcIttc3GuQ5:8OMkd2fsw5C8E2HBRPtIGuQ5

Score

10^/10

formbook ubpr discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ubpr

Decoy

ptpVli2do9q89N0=

+CSLnNslIIErRTE3deUw4HXnuqwqG4+WpQ==

5IBw+rDmyajH6J9b0Gc0

ITivu/UzzGQKCQ==

qNw+VJ7Ni+WT3pA2e/8=

6VzmXNT+607aCN1UmHCt1CjO

a+xfszZjSqdZhCfX5fXnJkJFIsuN8Ns=

DLyp4MD0xUCL6olI

kysKo0J45suL6olI

oE/eN+zqkP2lyG6YYSalUA==

Rko77gUFcKTQFA==

cW14AsnTkUOf0N6ODWjpj7S6nRI=

M9yx/sTJbmx2vzUeWQ==

SQJdWnStlfaz6J0M04r3MN8=

FLhBiiYfyjfZFOdgHU1SfmVhAGgV

nKgaME1YHRs+cHTkn4oI3ibO

vuZIRIyKMaBGiUl9iaiZxNc=

UPnZdBQV1nzxKB1N

iARlleEZxTSL6olI

w5hz+KfftpWkwox0yH7vo0GrwW7RjWVk

Targets

- Target
  
  a52d0bc31a250c5dd5c84c75fca9b965955297d20f582d79849c17fb59c4c04f
- Size
  
  1.2MB
- MD5
  
  8f6f8bc43de5fbdddedb774a22e3dca1
- SHA1
  
  3f48029084649e39963710b0ae114b4663d48e68
- SHA256
  
  a52d0bc31a250c5dd5c84c75fca9b965955297d20f582d79849c17fb59c4c04f
- SHA512
  
  ff48e557c37a8ebda2d9504727681dca35353003e87369e5462fb20a1c4746fb998200130b23518288a2bf7c4af06e8853937251af7b2c17e94a46d39b991797
- SSDEEP
  
  24576:7AOcZX4ctcwhwheT60L/2NgeSMj5HHeg/cbGOSMIEn:dPwhUwvfe/5HdYGOSMV
Score

10^/10

formbook ubpr discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookubprdiscoverypersistenceratspywarestealertrojan

behavioral2

formbookubprdiscoverypersistenceratspywarestealertrojan