formbook | 0c06d0aca06e1a105223e18f1f7505b79f7a8f3e48aaa4c07a71e5e97ef94905 | Triage

Sharing

General

Target

JaffaCakes118_0c06d0aca06e1a105223e18f1f7505b79f7a8f3e48aaa4c07a71e5e97ef94905
Size

364KB
Sample

241226-ybes6awncy
MD5

4c64ba325cce55a8594c7a6cb338f6dc
SHA1

c2ca7ca8912aa4e8af6a2bfac62296b1c7beb801
SHA256

0c06d0aca06e1a105223e18f1f7505b79f7a8f3e48aaa4c07a71e5e97ef94905
SHA512

ffafa60137ce8211d7d231bd7cef564c4b936832e61519f8d91c25dbc298bd2a36c31d3b9701fdcbd505393d53081aa1ee29a8b70ea27ed89802f40d49cbfabe
SSDEEP

6144:sfLvCdAnlqbQillEXdmQQI+racD7/cTQIhOg0QKPs77HytoKA1:jGnwbQiDENmQQthD7kchg0QH778c

Score

10^/10

formbook oh75 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Targets

- Target
  
  0202-22.exe
- Size
  
  462KB
- MD5
  
  25187246817de52ff581a45f4f11f241
- SHA1
  
  6166539dd8e4848758432de290c82cdfa113d0f7
- SHA256
  
  f5d980b064f019eae241837745f27d679386904a95caef0e572709611019cc7c
- SHA512
  
  797350c31c78d5df0aa24b12c7559f380253e64f03b0b629501d2cd8abd8b8174b6937816315b17cab1a33a858c652e418f5ddfb0475fd37f364dfe46ca27115
- SSDEEP
  
  12288:CVO7JCi3zD56YS6Hu8IDa2yMxTsZhkeM4:CVOVTDD5pHuK2txTsZRM
Score

10^/10

formbook oh75 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookoh75discoveryexecutionratspywarestealertrojan

behavioral2

formbookoh75discoveryexecutionratspywarestealertrojan