formbook | 19157045ecc10e0db37a1f84bf66614822f3256bb240f9ee1342295e37aa64a9 | Triage

Sharing

General

Target

JaffaCakes118_19157045ecc10e0db37a1f84bf66614822f3256bb240f9ee1342295e37aa64a9
Size

739KB
Sample

241230-cjbktatqh1
MD5

4d3e1aa51216b9fd2f5b1ad2e6077702
SHA1

22204802ba2462a3a2836b44787132181f0e4ddf
SHA256

19157045ecc10e0db37a1f84bf66614822f3256bb240f9ee1342295e37aa64a9
SHA512

a462a9acd47fa04064ef8afabb38fbeecfcc3fc6e4e9f162094503cd58db5daa3630543170a0ddc649cdb6f2d858e8f95dcc102034ca8e1dfc1d57f35ab8054f
SSDEEP

12288:+nwGJzfvsTtQsIcYm7bQLBWx8gZCMly+FgqRBz8M3tkfci4KTbrVxoHkkXX:TJQBhm4LBW1ZCMly+aiBzV3t8rVGHV

Score

10^/10

formbook d2g7 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d2g7

Decoy

inviteonlyme.com

noashopping.com

raysyoutube.com

chicagp.com

brnguatemala.com

speechboutique.com

philippinepodcastdirectory.com

konnecio.com

9q1ng6.icu

treez.info

appleiclou.com

pettras.com

txherz.icu

freearcae.com

mindpetalsoftwaresolutions.com

my-beautiful-switzerland.com

hpzebike.online

fadsekclub.xyz

newcastledhaka.com

varidsk.com

Targets

- Target
  
  97504b3dbc2dfe20922f3323f905aa9d4f5f440720cab63dd26c82f26f7d76a2
- Size
  
  830KB
- MD5
  
  3999be53259c3a2ecc613beccb944a8b
- SHA1
  
  6c806ab505713d011f02c008d9c69dcbfdde55ab
- SHA256
  
  97504b3dbc2dfe20922f3323f905aa9d4f5f440720cab63dd26c82f26f7d76a2
- SHA512
  
  ec05795b12b0d78304df5050f9a57b271b5018485ba016f500cd33b50fcbf8e5224a18781096cd95749fe6078dc46a0dcd4172fc5d1e06f4af6fecea176a5ff2
- SSDEEP
  
  24576:q12MYtLRZaaeK3x8KC4dx05nbQojj5Ql8:qGRZSux83KwEoZ
Score

10^/10

formbook d2g7 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookd2g7discoveryexecutionratspywarestealertrojan

behavioral2

formbookd2g7discoveryexecutionratspywarestealertrojan