formbook | 257376dd4cda0f03c4eb3476a615f7f34cab8c6a20efc51a501594c9be37e244 | Triage

Sharing

General

Target

JaffaCakes118_257376dd4cda0f03c4eb3476a615f7f34cab8c6a20efc51a501594c9be37e244
Size

536KB
Sample

241225-fp197sylhs
MD5

d7822ad4efc603803cb7890eb66110cb
SHA1

7d703e81605c93ddee632bcd1e2a6ad720ccab6d
SHA256

257376dd4cda0f03c4eb3476a615f7f34cab8c6a20efc51a501594c9be37e244
SHA512

cdef8bf989b9419a17793c4ec651088373f492f1cbd3fd4dce9830370f782f9467b4176291275a2e8e00ff0730ea1d2703b2ee1e5554a64e19a3282a07c65a62
SSDEEP

12288:Tqqtw2r0LSU+WA57JQPVaJP/K5I6seb97FzJ9II9t:Tqq220Lk57JKaF+vso9x9+u

Score

10^/10

formbook t36t discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t36t

Decoy

klinkspremiumwildlife.com

teto-store.com

minneapolistaxattorney.net

zgomc7.com

invest-nj.xyz

uinnou.com

addtr.online

hollydays.online

fearurself.com

balaaconstruction.com

myyacht.rentals

hstonme.xyz

51junt.com

sidagj.com

weelilfellas.com

mroadholdings.com

torontomillwork.com

gonks.shop

jupefeeds.online

drpmb.com

Targets

- Target
  
  DL+Payment Release Details #Transaction Notice_Reconfirmation Process MTCRTTM.exe
- Size
  
  606KB
- MD5
  
  bd8229dde5d5dfd5bded095911b835ca
- SHA1
  
  c1fdb6b6829afe4f2bb9ddac12cb384bb2dff286
- SHA256
  
  93e9e99eb9d74a0cfa3cec7fea4a663b9ad5e8fe4e6ba38bf597a902ce592e1e
- SHA512
  
  9d945c7baa4fc8a83323e72e324d166d18af7c9d1914906ba49ad27813cc4360d7f979c2c6b594199ffef105adbc4dc1708eee34c51ccba9877f898c87db9f0c
- SSDEEP
  
  12288:Xq2PIZimzX1v9jA6FAOlyQMjcK6g+xHBMD1n+RuGJ4gge707kyLL1XXMQ:YT1v5hFllS4K6hxhMDSuRgghoyLJnM
Score

10^/10

formbook t36t discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookt36tdiscoveryexecutionratspywarestealertrojan

behavioral2

formbookt36tdiscoveryexecutionratspywarestealertrojan