formbook | c96ce31686a4107af25093cd0db96fc4749c7741c7f324ca7b7220f00f951419 | Triage

Sharing

General

Target

JaffaCakes118_c96ce31686a4107af25093cd0db96fc4749c7741c7f324ca7b7220f00f951419
Size

475KB
Sample

241228-26vpmsvket
MD5

c9aa5ac2e4d597b4dff50c82d1a634f4
SHA1

1487df55be8f19735d21c073e49ab4398b1f0f80
SHA256

c96ce31686a4107af25093cd0db96fc4749c7741c7f324ca7b7220f00f951419
SHA512

4a5b4ecc0dd7c50e9f5e54d24095550831de16cfa60ab0a571d70ace0f869f2374d218c77a099fae629a425267a18a87c3a648f710909c684ed6ce3dc02cae72
SSDEEP

12288:4gBrqpyDMF3XNVZinkKuHOswdEiMOszXZKQG2uK:4QwXX0nkosyEipGZKQG2n

Score

10^/10

formbook sn2a discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sn2a

Decoy

poczetkohina.xyz

themetaversehealthshoppe.com

herbarmonia.com

artifyjapan.com

wizeconcentrates.com

sewtf.com

astroturismolaestacion.com

catrinawilliamsphotography.com

healthroll.net

thefamoustee.com

agrabytes.com

confrontingantiblackracism.mobi

firstratebriefto-viewtoday.info

flooadgfrfactors.com

moodteach.com

rypxhbenef.sbs

metaera.store

jaliscofilatelico.com

bellamiscream.com

server873.online

Targets

- Target
  
  Equipment Order PDF.exe
- Size
  
  635KB
- MD5
  
  b1153a5e677a218b7ee73a0b1e6573d4
- SHA1
  
  3d0e644bcdf9d5d535494c8e96d6713285975273
- SHA256
  
  dfd901c6a7557a020e384e1dd79ac634af24df3708c4b6c6e6e0cdb1b5aa93be
- SHA512
  
  68660abb06cc97cb6306b1dbd802f020a1d6fd8dad470b77c8f2842194708d25a4c47baa7e7fceaedd097b1dbf28b22fe0a30acab8c8d8e342d1b8649eabdf13
- SSDEEP
  
  12288:Q3wqLZcF9YvYrhclfn9Dkm7JqehWAY7uH:4PLZo2vYrhcfDkm1g6H
Score

10^/10

formbook sn2a discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooksn2adiscoveryexecutionratspywarestealertrojan

behavioral2

formbooksn2adiscoveryexecutionratspywarestealertrojan