formbook | c0b6fd6cbf29ff2ea9dbb4a888ccd479549face627083f84c43cac2b25a13489 | Triage

Sharing

General

Target

JaffaCakes118_c0b6fd6cbf29ff2ea9dbb4a888ccd479549face627083f84c43cac2b25a13489
Size

514KB
Sample

241229-2x153azkfj
MD5

5dce0c1170a55bcf01be1c1f434dda62
SHA1

f0e317b9410318aa5f03ff1bcf414b6e444e50ab
SHA256

c0b6fd6cbf29ff2ea9dbb4a888ccd479549face627083f84c43cac2b25a13489
SHA512

69cd01795d9fd5d75a87e8493259f4e08f7d8ffdeff483e95ae3f1379ca49f58c953f14c58d87c85097d7c1b274a97f9225a86df380c79358d4d5d5a722004a8
SSDEEP

12288:KdkyHOOM8q6ZIgy/c4exGFwW0IowCAex4cAzW5A9rrw:Kd5q6ZIk4gGG3IofnKcHAdk

Score

10^/10

formbook o27a discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o27a

Decoy

rfmag.club

zkskzt.xyz

prestitiprivatodaviden26.space

topfxvn.com

irreverentlabs.net

untosuit.com

conquestdevelopmentgroup.com

meterarchitects.com

gwendolyngantt.com

1xpromocode.site

sellloooofolk.xyz

alonzorobertsunderwriting.info

harisalikhan.com

gocqsf.com

carrotstay.xyz

fortumex.com

xiaosage18.xyz

archeage-unchained.com

logicskopisch.world

xj9j.com

Targets

- Target
  
  Nuevo orden.exe
- Size
  
  538KB
- MD5
  
  4abca413b252753f1fe8d43db529eec5
- SHA1
  
  003fc5e1e59ffb1247cc254edf8eff28d5e53044
- SHA256
  
  a3165c54480303a31c1da6f186f955b3d5ff3e0dc3539993f134510b0a396df3
- SHA512
  
  69828107fb63f7bc6f898ca1a28a6f10e17f5114ee4f52948a2500631198918c6719434d28f494294e81f7175f7245dab303fd83c0750f20e0f1c66ef8c5f90b
- SSDEEP
  
  12288:JzzkD2hbbBC8sCAsGVaYYaP8ssugQ4mdeu9GQ7GYMmFq:JV9t3PNs/98s2l0GYh
Score

10^/10

formbook o27a discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooko27adiscoveryexecutionratspywarestealertrojan

behavioral2

formbooko27adiscoveryexecutionratspywarestealertrojan