formbook | 556ff3626a7aa8ab83182c0d09607374171a3cca26f518d8e552d19e4dfffe26 | Triage

Sharing

General

Target

JaffaCakes118_556ff3626a7aa8ab83182c0d09607374171a3cca26f518d8e552d19e4dfffe26
Size

513KB
Sample

241230-gvzt1azqhn
MD5

dbc3f48ed970d90cc7b0b2528832bfb5
SHA1

398692de27356cd93e684a3c8cb3f526f3f3d825
SHA256

556ff3626a7aa8ab83182c0d09607374171a3cca26f518d8e552d19e4dfffe26
SHA512

d47cff25254f8194d7a2cc88868867188e8b95742289d53098cae2476e5ed5347d522c99c1a72024c8d86292ffd83d829796f16ba0e6a5c28a685907413527c0
SSDEEP

12288:NNVeK5CPTBA3KQSqrD8sQ8f3Oh5vAqDAgPSB19oOQG:NNVjQBOKZQD8sRC546P219oOv

Score

10^/10

formbook o27a discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o27a

Decoy

rfmag.club

zkskzt.xyz

prestitiprivatodaviden26.space

topfxvn.com

irreverentlabs.net

untosuit.com

conquestdevelopmentgroup.com

meterarchitects.com

gwendolyngantt.com

1xpromocode.site

sellloooofolk.xyz

alonzorobertsunderwriting.info

harisalikhan.com

gocqsf.com

carrotstay.xyz

fortumex.com

xiaosage18.xyz

archeage-unchained.com

logicskopisch.world

xj9j.com

Targets

- Target
  
  Barisan baharu 1.exe
- Size
  
  669KB
- MD5
  
  c52ea876f58edb9e098c468246cb3c45
- SHA1
  
  321ea4228f13cf39458031650a113b8304728b24
- SHA256
  
  f5111a8cb2ad774437f4c7e49e57f936188943f9819741754ae3ccc5fe02fc50
- SHA512
  
  473ebb28bd20be55942cbc07782391a6077532188f41c19d0dc1b3ac4bcce4c7f54ce5f1a88acdb23157ca8fb3ec1fa28a75f174bc6d1cf5ad0bc7903b0cdc9d
- SSDEEP
  
  12288:fpMgHlCsDN+a1BTGSzFFZ6hCH3xGPAs1f+6YDl6BZCLJGvT6cOwRhk8lPVR6/LkC:fpM+U6cOwRPlPm2COaECPU5
Score

10^/10

formbook o27a discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooko27adiscoveryexecutionratspywarestealertrojan

behavioral2

formbooko27adiscoveryexecutionratspywarestealertrojan