formbook | 64556f7106de6f8b8825085e8463d19ead30baa55febb49752e681341a9e4d66 | Triage

Sharing

General

Target

JaffaCakes118_64556f7106de6f8b8825085e8463d19ead30baa55febb49752e681341a9e4d66
Size

640KB
Sample

241229-azpfhaxkap
MD5

c04343566ea01de23a6d1fa98cfd8937
SHA1

8a8245eae9aa415e34c5d14e8e8be342e14235e7
SHA256

64556f7106de6f8b8825085e8463d19ead30baa55febb49752e681341a9e4d66
SHA512

8013b2cd39b78fd30a822b7f0b5b94ecfe31c30619e913bb1343aecd096ac2f27cde5a53be51c7e04ba5458148a82ecb6e2f07f7f0241ffcfe5b9b71f54712ad
SSDEEP

12288:dl4r3/5eBDKMJ25SlprVROg6bVLij3aeP4vJPZ7UuPFz2cTGu87r/yJBFIhPXY47:b2PEBDKk25IVVqbVoVwxZ7UgdXiB7eJ+

Score

10^/10

formbook mzk6 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mzk6

Decoy

mobelhouse.com

legaltranscriptionfromhome.com

hostmore.top

3kkb.com

whitepearl.space

tavatars.xyz

zhijianai.com

growfollows.xyz

aloua.net

the-mlm-software.com

justice4jimkent.com

iicse.top

blondemarketingsolutions.net

oncochart.online

firebird.group

jinanjiazi.com

aizoulu.top

scalpmicrocourse.co.uk

sugarplumpaper.net

pingmetech.com

Targets

- Target
  
  1e6bdda859cf7324cbbb98eba3f817db4cc00f8495b93cbdd46adb64be1b3c01
- Size
  
  807KB
- MD5
  
  178a7a9746f4671d810b5f451870f4e0
- SHA1
  
  980c97f058d1248411d9ebc17383ab031fa4e1e6
- SHA256
  
  1e6bdda859cf7324cbbb98eba3f817db4cc00f8495b93cbdd46adb64be1b3c01
- SHA512
  
  373e0e4b9760c36c84e182d68d10c5757d6b7d9d572eb3adda8acd0bffaded5df495097805827b4e21a19fd31c458a46e02184f8b31ba5f7dd564fc2104f9f1a
- SSDEEP
  
  12288:hsZP7BAr0ik1U11R/5PG6nlY6lJf45rmtVSShhzgD9VwF/302CrQW:XkSPTPTNvI92x0
Score

10^/10

formbook mzk6 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookmzk6discoveryexecutionratspywarestealertrojan

behavioral2

formbookmzk6discoveryexecutionratspywarestealertrojan