formbook | 3b7f366b9aa386851781aa0d36bdb60f3a75208480ecb99fc647acb8d0763dd8 | Triage

Sharing

General

Target

JaffaCakes118_3b7f366b9aa386851781aa0d36bdb60f3a75208480ecb99fc647acb8d0763dd8
Size

667KB
Sample

241230-fd93zaymcl
MD5

282d5c063f7c52a8be5063a6c727ad22
SHA1

db021e87ac3dccfa8f9660fe150b41210c511211
SHA256

3b7f366b9aa386851781aa0d36bdb60f3a75208480ecb99fc647acb8d0763dd8
SHA512

9761eaab83fbff49bb275531ff8f2b90688665f05711078bec0f11bacdf4d081b21fe863644ce67b8648ade98187d773a85734da01ec8f7e655bf5615272f813
SSDEEP

12288:JQ8wx4Kfb3L0wW+eXb3CQ0Tnqgqf+vcsfQNoD1/cYGLmYYjMy2bG7:FEzTejC77qgqfUvQNoDlJGjeRK4

Score

10^/10

formbook d2g7 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d2g7

Decoy

inviteonlyme.com

noashopping.com

raysyoutube.com

chicagp.com

brnguatemala.com

speechboutique.com

philippinepodcastdirectory.com

konnecio.com

9q1ng6.icu

treez.info

appleiclou.com

pettras.com

txherz.icu

freearcae.com

mindpetalsoftwaresolutions.com

my-beautiful-switzerland.com

hpzebike.online

fadsekclub.xyz

newcastledhaka.com

varidsk.com

Targets

- Target
  
  Yeni Sat?nalma Sifari?i.Pfd.exe
- Size
  
  738KB
- MD5
  
  802065ade587ca9b2f9627bb1c1b63e9
- SHA1
  
  5e2182dba4444a5161530f5f74e878d2d32b84a3
- SHA256
  
  a49a78b4925decc0dc56f7d6b51a49b17d028016ebd820de985c6982957eeac9
- SHA512
  
  62c81c0a16066769bd21f357ec1be507b211354d93b7c215658469f8ca7e56fe553080978de4a001c21008d37436dee1efb5c1295f3eb72b75b3abfaec3627c8
- SSDEEP
  
  12288:9P5k+XiURfG3YVrbFnip1AdKYG6pUZrJLjFdBH5uSyZ2uVQ2mPNeV:VaQ9Y6bFn01AdK0UZrT5u5Z2uVQ2x
Score

10^/10

formbook d2g7 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookd2g7discoveryexecutionratspywarestealertrojan

behavioral2

formbookd2g7discoveryexecutionratspywarestealertrojan