formbook | a0592505ea38b395237adc77624c613ca16cb99f296549c6b128b7d8c4e17ecc | Triage

Sharing

General

Target

JaffaCakes118_a0592505ea38b395237adc77624c613ca16cb99f296549c6b128b7d8c4e17ecc
Size

577KB
Sample

241230-bwc4qstkdv
MD5

936af3cd3bb09a79a23019a81e382029
SHA1

8aeb8db5050cae2b4346bcb93acfd2cf9c9ee13e
SHA256

a0592505ea38b395237adc77624c613ca16cb99f296549c6b128b7d8c4e17ecc
SHA512

d0c1c973f540c5e03728d1cdfba5367dd43148668c90283bf91b7eb81cc0954ffd0f532db8dd2ef296634277037676596fc29a3facdfb420c87b1c399ec584b7
SSDEEP

12288:zob309KJZMBE2KIxz4+71alE9hAgsT0r2+i0Y1YrSBtSTGkXEZ9ax+a8:W309KJZMB5x8+7oIXs5YWOT70znz

Score

10^/10

formbook jr04 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr04

Decoy

usatotribu.com

jak-omi.xyz

spacemozaic.pro

fordheritagevauly.com

vinted.beauty

gowebinar4u.com

infinixmediapty.com

dingquanjr.com

vahidblog.com

kgav99q.icu

healtyneck.com

assg3cd.icu

airconditionerworld.site

opinkmflotp.site

mineclicker.net

davidsonfessettlement.com

secured-verification.com

kgwjqaj.icu

subtmv.xyz

auntysocialvintage.com

Targets

- Target
  
  bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e
- Size
  
  623KB
- MD5
  
  d796106a6798936495f83e5eeb341c90
- SHA1
  
  671a5437ce4fe56510909a852916a19eaf983dc6
- SHA256
  
  bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e
- SHA512
  
  9cbb995f2d32fef68348d0037ea8b6fac98ba86905b96658bf527961ae04f63ce65a23efcb4dee6e6fe8b3f1e5cf77e40221fd92dff925e0a60c2563eac2a7f7
- SSDEEP
  
  12288:no8bkVHKTBePSVM+q175iDNDGgYRtUkBpRcRm9SGiJ4if1kC5Lf0Lx06+r/R4sM:no9tKTBZZE75oNyZpRT7oTOe4C6+r/R/
Score

10^/10

formbook jr04 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookjr04discoveryexecutionratspywarestealertrojan

behavioral2

formbookjr04discoveryexecutionratspywarestealertrojan