formbook | 2f3766bd11570549f291b1c01fbf1e81805c2d072dbbd6ee26f2d9fd6dbcd8b7 | Triage

Sharing

General

Target

JaffaCakes118_2f3766bd11570549f291b1c01fbf1e81805c2d072dbbd6ee26f2d9fd6dbcd8b7
Size

1.0MB
Sample

241230-d3jafawrfp
MD5

8a9e27ffe2c12712f52d8c8c7399bcef
SHA1

0cbe817c64d39944905bcfbb2c77db1cfcefe86c
SHA256

2f3766bd11570549f291b1c01fbf1e81805c2d072dbbd6ee26f2d9fd6dbcd8b7
SHA512

fe72a274b6b4596a1fcf6f5e84c47a6a31c67ed9c85a210bece2eeb38dcf67373975d4218170cf023436cad86ffd1ef505dd47e38afe3ed28787e3da5537e4e4
SSDEEP

24576:thmEn5jyid96y1W0ijSLbfMG6uXNsX7lOxRkU71OmubqP4Le:DhMCvNwSn6+Ioh7wbS4C

Score

10^/10

formbook gn27 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gn27

Decoy

perilunevc.com

kantogaming.com

stageyor.online

jixsux.site

dingmei2020.icu

savagesupplyco.com

deadstockllc.com

leyandfey.com

zjn22558800.com

projectupskill.net

outliersresearch.com

spaced.community

zschengbangzx.com

5gxzxxtax-ety7f.biz

iq0xe.com

6388xp9xg9k.com

hengyungdzz.com

retrosale.com

echt.global

canceltotalav.com

Targets

- Target
  
  ??????.exe
- Size
  
  1.1MB
- MD5
  
  e5d39dbcb30238929cf0ace419b207e8
- SHA1
  
  f5c499e26a082a97ab0c4f2fb8dba82f719a37be
- SHA256
  
  a27690306574d230791d1625c7657c8460a1ad5a3bc0187e28a7620f30da14fa
- SHA512
  
  52d1bff13ff64c514fd804887e034809023d23abf77ebf5b8aa04a12b4c6575f348925f76a82bc793167307e9775400eee2aedf5cf0e1b11b932da17bc4e89a3
- SSDEEP
  
  24576:+by9e8ItJePeyuFyVU7/78m9w9BxanVR5VVuj+olvm:+aOtJePe/Fyuf19w9BxIT5VVu+olO
Score

10^/10

formbook gn27 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookgn27discoveryexecutionratspywarestealertrojan

behavioral2

formbookgn27discoveryexecutionratspywarestealertrojan