formbook | fdb292d797f2e82375becab7d1e33d1d5f2b51ea00b133565ebfc2e8d7c7cf76 | Triage

Sharing

General

Target

JaffaCakes118_fdb292d797f2e82375becab7d1e33d1d5f2b51ea00b133565ebfc2e8d7c7cf76
Size

778KB
Sample

241229-h48nyawmez
MD5

f8e1c01b3de818ea80c2015fa66b1fd3
SHA1

4c75119c3492c4efed2f8b97e334f56bc0e8f7ec
SHA256

fdb292d797f2e82375becab7d1e33d1d5f2b51ea00b133565ebfc2e8d7c7cf76
SHA512

4d97956b1bbe2b5b78035e172c399acd55f5e7691e6006033752e7d41ba52865cfbde26b2be8fd198f5fdaa90e6939e64109d8617fd3d500eaaf09ba4b4f9448
SSDEEP

24576:kKzcAQiwM1jogvgjHCFC8K3B3gT5X+mypAfF2g6HGQx:PMiwbgvgjH93ZgTwmTfZ6HDx

Score

10^/10

formbook de19 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

de19

Decoy

predictivemedicine.life

coloringforthepeople.com

project154.com

usmmexchange.com

bootzxon.com

chaoge730.com

thenaci.com

moviestarplent.com

musicallyengaged.com

sneakerspark.net

yudist.com

apqrcx.xyz

traceless.tel

guardlanavionics.com

usadogrights.com

openei.club

aventusluxury.com

telewebin.com

godrej-threeparks.net

solbysol.com

Targets

- Target
  
  Copia de transferencia bancaria.exe
- Size
  
  971KB
- MD5
  
  8ee464229bdaac78e1354a7ff334af85
- SHA1
  
  a566511090198f92b82e07c1675b256f6c91e923
- SHA256
  
  8095979c4153bbcced38a6ee12589fbb67f356535a91cf22e26413ee3f1c4e34
- SHA512
  
  836274df2b83188718400c22b71becbf445d2f128cdfbc342cb62cb3655cc70441a638705911c449f500748e7be13082a11ac4d261a03e9c805cdf10e3e1ab87
- SSDEEP
  
  12288:Ntcg0r9tDZddpnLnv2hVSKRytHxnrceHMcrIaPy1FTAUI4kSxv1/:Nt893hSh0K0pxVIaPy1FW41
Score

10^/10

formbook de19 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookde19discoveryexecutionratspywarestealertrojan

behavioral2

formbookde19discoveryexecutionratspywarestealertrojan