formbook | 9ef449444431935cc53bcfddb15b35b1dd62495b06d16493862ed6acc897135e | Triage

Sharing

General

Target

JaffaCakes118_9ef449444431935cc53bcfddb15b35b1dd62495b06d16493862ed6acc897135e
Size

531KB
Sample

241225-qg6j3atmgw
MD5

c435ad61784115c3ba480b60e3965dad
SHA1

b783759fa03fa29c1582e84360ec632392732aec
SHA256

9ef449444431935cc53bcfddb15b35b1dd62495b06d16493862ed6acc897135e
SHA512

e4cca574f5b4f5dead766a23bf6dafc1f707697c2977e356b4701253ebdd573dd5fcc9072e26694f5171895610ce0a68fd9f920982c98065a9b05f208310e80e
SSDEEP

12288:E6J97gkBAZshcBJgWCCN9s9oF1oeQZvMzC5WsR8Tb3:E6J98kB5czgYgqceS2C5RR8Tb3

Score

10^/10

formbook o27a discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o27a

Decoy

rfmag.club

zkskzt.xyz

prestitiprivatodaviden26.space

topfxvn.com

irreverentlabs.net

untosuit.com

conquestdevelopmentgroup.com

meterarchitects.com

gwendolyngantt.com

1xpromocode.site

sellloooofolk.xyz

alonzorobertsunderwriting.info

harisalikhan.com

gocqsf.com

carrotstay.xyz

fortumex.com

xiaosage18.xyz

archeage-unchained.com

logicskopisch.world

xj9j.com

Targets

- Target
  
  Nuevo orden 1.exe
- Size
  
  555KB
- MD5
  
  b9ba47bd36eddc3ec6690f867f4f065c
- SHA1
  
  145372771d3ad06c2d7e1bfd8cee311fc8b4c000
- SHA256
  
  035dd068094e680fb06f62eb2b838b182d29df63883906f0031444f1bea56507
- SHA512
  
  d5e4d9389c85a890c90660353ec842c2e7c2ac854f171a4f760d74d200c946c37868c3d1b8d54bb1f298bdf174c7eca4c18f3340676905f20330c37013acad99
- SSDEEP
  
  12288:7z90jNqYHj5TDlbC3F5A+56YYLjtY9KEj/CeB:7ulYJm5IKEj6
Score

10^/10

formbook o27a discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooko27adiscoveryexecutionratspywarestealertrojan

behavioral2

formbooko27adiscoveryexecutionratspywarestealertrojan