formbook | 4e1c286566b574f31f091644bcac2d2aec378002a42ca039a34561947078483b | Triage

Submit
Reports

Overview

overview

Static

static

3

9ca3d7aef9...18.exe

windows7-x64

9ca3d7aef9...18.exe

windows10-2004-x64

Sharing

General

Target

9ca3d7aef969d1460d82b86833904dce_JaffaCakes118
Size

504KB
Sample

240611-caek4szgll
MD5

9ca3d7aef969d1460d82b86833904dce
SHA1

b75c443f46403adddc7feee11e95bb601eb42c2b
SHA256

4e1c286566b574f31f091644bcac2d2aec378002a42ca039a34561947078483b
SHA512

2da51ad40d9011df045e4a7f241b1b4ca9917f06bf6129222820b86525468a5ffbe56940eb06de869cc384a945cd3d5356dc3a7a6f4c86458c4688df93fcbb5b
SSDEEP

12288:dWWNkAMw7hj8FLCCeVBVivogDiggszuRkRa6o:dWaMw7R8FwnipviJ6o

Score

10^/10

formbook ej persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

9ca3d7aef969d1460d82b86833904dce_JaffaCakes118.exe

Resource

win7-20231129-en

formbook ej persistence rat spyware stealer trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

9ca3d7aef969d1460d82b86833904dce_JaffaCakes118.exe

Resource

win10v2004-20240426-en

formbook ej persistence rat spyware stealer trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ej

Decoy

ratnik.online

qqqq5025.com

oliverschmidtleipzig.biz

wallet-service4.com

securityinformation.link

kuaitool.com

chuanyuemeili.com

jetluxurysedansok.live

xn--autodrne-93a.com

ipdzke.men

opebet489.com

defamey.com

switchbank.finance

bplti.info

habomilk.com

onlineprintersupport.info

kansashemporium.com

xnewmovie.info

yuvakarshan.com

camwrshh.com

sadegulkilic.com

nomadflight.com

citratiket.com

keyresourcetek.com

manis-nagoya.com

aboutlouis.com

kankabul.net

hlstnyy.com

freebaseballpredictions.com

sharedpo.com

retailrealty.net

fattiarantes.com

tattoojay.com

leadmmo.com

otthonbiztositas.online

katakori-kaisyoushitai.net

eaeyz.info

placetel-togo.com

kevincurley.net

niemehraknepdf.com

autovn360.com

coinaircourier.com

655ope.com

bestvideogamechairs.com

buildthemind.com

homebizfounder.com

hannguvietsky.com

irancalligraphers.net

goldmanjewelers.com

sajilotarika.com

pwufugqeg.download

purelyforyou.biz

henrysaesthetic.com

ccc616.com

sdryo.info

newconnectbiblestudy.com

onu.supply

weed.futbol

hospilabels.com

sec8rentals.info

duanb32daimo.com

miaoulog.com

thedmvarea.com

pixlogics.com

kervax.com

Targets

- Target
  
  9ca3d7aef969d1460d82b86833904dce_JaffaCakes118
- Size
  
  504KB
- MD5
  
  9ca3d7aef969d1460d82b86833904dce
- SHA1
  
  b75c443f46403adddc7feee11e95bb601eb42c2b
- SHA256
  
  4e1c286566b574f31f091644bcac2d2aec378002a42ca039a34561947078483b
- SHA512
  
  2da51ad40d9011df045e4a7f241b1b4ca9917f06bf6129222820b86525468a5ffbe56940eb06de869cc384a945cd3d5356dc3a7a6f4c86458c4688df93fcbb5b
- SSDEEP
  
  12288:dWWNkAMw7hj8FLCCeVBVivogDiggszuRkRa6o:dWaMw7R8FwnipviJ6o
Score

10^/10

formbook ej persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookejpersistenceratspywarestealertrojan

behavioral2

formbookejpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy