formbook | 553eb6ff1dda41ccbfd52c6547e763d739ee272f5390e09e840cf64c3259c00e | Triage

Sharing

General

Target

JaffaCakes118_553eb6ff1dda41ccbfd52c6547e763d739ee272f5390e09e840cf64c3259c00e
Size

1.0MB
Sample

241225-tkesasxng1
MD5

f91aa6b76dab34d702fe9a87c6928f01
SHA1

7f25d4de098ad5d2deea53798f242737395ebb28
SHA256

553eb6ff1dda41ccbfd52c6547e763d739ee272f5390e09e840cf64c3259c00e
SHA512

b898069a6926d72578dc40db94cb909b99cb13efc69ca0a10b928d80d336a54fe5b3d93fdd00144c843adb5a37d31042613577757459ef87faf568cd5a481250
SSDEEP

24576:l0CrkTm1td1KP2nVw0q+YvSelihsOitY3u0YgN9HOUzCIAGWr:ST+d1KPsVMhvNihs0u0VN9uUzCIAxr

Score

10^/10

formbook d2g7 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d2g7

Decoy

inviteonlyme.com

noashopping.com

raysyoutube.com

chicagp.com

brnguatemala.com

speechboutique.com

philippinepodcastdirectory.com

konnecio.com

9q1ng6.icu

treez.info

appleiclou.com

pettras.com

txherz.icu

freearcae.com

mindpetalsoftwaresolutions.com

my-beautiful-switzerland.com

hpzebike.online

fadsekclub.xyz

newcastledhaka.com

varidsk.com

Targets

- Target
  
  Nueva orden de compra.exe
- Size
  
  1.1MB
- MD5
  
  7280b74e4cf0685d974bbb8d60a57ea0
- SHA1
  
  272afcc621eecb76b7986fa80fd4fc235adfde60
- SHA256
  
  cf5d0eb741adc67acf2cffbbef91fb030c94aca534d7a6b95efdbace11b4a62a
- SHA512
  
  6ad2d2369b2339d5c4ef9f91fb13de42189a9b493da98e6d495980017e0f4e97827a4606dd590cc12aca22d150b974d403602d2351381221bb82a763ba680b11
- SSDEEP
  
  24576:rVspUwf9hhQP20Nog1tChybY9GygPmWXrq0l4EQUfIHTw:rVQzVhhMNoQl0EygPNveWIHT
Score

10^/10

formbook d2g7 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookd2g7discoveryexecutionratspywarestealertrojan

behavioral2

formbookd2g7discoveryexecutionratspywarestealertrojan