formbook | 3e8b26613c86a95bcc479a217664e0965f7d450fad4c27f82b8bdc16a71cf001 | Triage

Sharing

General

Target

JaffaCakes118_3e8b26613c86a95bcc479a217664e0965f7d450fad4c27f82b8bdc16a71cf001
Size

712KB
Sample

241225-t1h5naynaj
MD5

477168151900e7cf18b947d8e82d6736
SHA1

1f4443393d9f983ec492fb0728e4ccf40192405a
SHA256

3e8b26613c86a95bcc479a217664e0965f7d450fad4c27f82b8bdc16a71cf001
SHA512

e6601470f8604b6c6398d0fb02228984bfc7782410d6f2f653dab25a5df05c819e6ed18ea6d99a305e0b8097cdcfb56c8a34123c7b33280fb7fd9d9a5e6f81be
SSDEEP

12288:oHlDqM82T8xw9Scb1F63IWqCgc0f2Exn/ZOIYr1RDsxar+zlI2JnbH5LOwXmxzMT:QlDqheVz+IWqCgddxn/Z1YhRDpa5F9HV

Score

10^/10

formbook d2g7 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d2g7

Decoy

inviteonlyme.com

noashopping.com

raysyoutube.com

chicagp.com

brnguatemala.com

speechboutique.com

philippinepodcastdirectory.com

konnecio.com

9q1ng6.icu

treez.info

appleiclou.com

pettras.com

txherz.icu

freearcae.com

mindpetalsoftwaresolutions.com

my-beautiful-switzerland.com

hpzebike.online

fadsekclub.xyz

newcastledhaka.com

varidsk.com

Targets

- Target
  
  NUEVA ORDEN DE COMPRA.pdf.exe
- Size
  
  735KB
- MD5
  
  31ba1b0840c21eaef4703f971d6e1269
- SHA1
  
  b5775b488c52e6e3213178cf3029f670daf3ea61
- SHA256
  
  a1d866af56e776900262c65bc9f7396338f73378f7af889c5f02166432381097
- SHA512
  
  6fe6a5e5df803f021b8140c017d35d96e3ba6b2d83c67342edb187a85c2c8e031a8e5a82a4ad96b2cb648609101224c948798c4970e2227eebc82655e4ca027a
- SSDEEP
  
  12288:FQGaZqPVeqKmpPkHpgnrnHvoXZJZE9NzxIbkaVF4Vp9xCwgaNSsRPTJmeZ:SgteqTpsJmwrZE9NzAFep9xMONPT4s
Score

10^/10

formbook d2g7 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookd2g7discoveryexecutionratspywarestealertrojan

behavioral2

formbookd2g7discoveryexecutionratspywarestealertrojan