formbook | 923fb5875b7bbde4321e8e9d4c010aa8851801bb5b099f2db795fa883c9c1e1f | Triage

Sharing

General

Target

JaffaCakes118_923fb5875b7bbde4321e8e9d4c010aa8851801bb5b099f2db795fa883c9c1e1f
Size

352KB
Sample

241229-gmvv3svkax
MD5

f513e0765d9f5d64b75352cd9b11dbbf
SHA1

097b18b3269afa31784b161bad9334bb5d82f199
SHA256

923fb5875b7bbde4321e8e9d4c010aa8851801bb5b099f2db795fa883c9c1e1f
SHA512

7a400e19f8e22e10f4453a92b2b433ab67750415f1fc78087ce13a922fcff29e3cfd2c753e4d09fe583c2dba372bc3b93e5bfbf853e09928b252ed51b020161a
SSDEEP

6144:ZArAqbHPtIANjXrD4ds0NDor3NDRRSv4arkrJafT95/02S9iFVyVB:ZArTtnND4+0CBo4CGa79y9iFVyVB

Score

10^/10

formbook ajr discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ajr

Decoy

cokefork.com

sunsabe.com

tactical-milsim.com

johnporcaro.com

quantqubit.com

ehrbar2012.com

dailymoringpages.com

masteronlineteams.com

signocomunicaciones.com

entrepreneur-de-demain.com

eve-echoes-data.com

readingbythewindow.com

quoteshark.net

mundoeconomic.com

bootlegmask.com

sporkedmissoula.com

claricitywealthplanning.net

lyotrade.net

brandtokitchens.com

blackstorymedia.com

Targets

- Target
  
  Ayu4oCFjm9OnXOp.bin
- Size
  
  432KB
- MD5
  
  f87c0f240f62b4cca561779d456a119b
- SHA1
  
  c56269f25c5c23b2e7061e3b13c3e0c3fd27f7f7
- SHA256
  
  d30712d30f67be6cc42c17e78032d44f858ba45aa58c767b756874e25f6938df
- SHA512
  
  4ec4be2b361bf4c9c009a6b2c3c4dbe5cc4dec31f17d5507708fa7ce5f704452d03ee97dab6ad0f52e9972c2f919e20d243e9ce945aeeeee09a02ee43e6a649c
- SSDEEP
  
  12288:LgQts9tXZ0ybmhFZ9lrzfyXHFD4j5HgXm2ijk:LgBX+Amh791yVs1k
Score

10^/10

formbook ajr discovery rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookajrdiscoveryratspywarestealertrojan

behavioral2

formbookajrdiscoveryratspywarestealertrojan