formbook | faaeac08804e5737076cfef12e58a3375c8233a477b3f64b0c5ecb9b752954c3 | Triage

Sharing

General

Target

IMG-CMR.xlsx
Size

2.0MB
Sample

210111-yjb921d83s
MD5

507d646c9dafa980a1f39c911ed5086a
SHA1

e90c1561a6f1af214ef41cd1bfc03e8eb774412d
SHA256

faaeac08804e5737076cfef12e58a3375c8233a477b3f64b0c5ecb9b752954c3
SHA512

37c7b2ed8d7739c1c24bcde0c56f3a0325eed24a65cf638a88c5a33c05cb332798c5b829f0a4a77e54ecb247dabbad21b3d0e7daba613ccffc7288745ec03ae9

Score

10^/10

formbook evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.thesiromiel.com/kgw/

Decoy

valentinakasu.com

soyelmatador.com

collaborativeprosperity.com

power8brokers.com

nexus-ink.com

manpasandmeatmarket.com

the-ethical-forums.today

maryannpark.com

bikininbodymommy.com

pxwuo.com

bigbangmerch.com

okaysinger.com

shopcarpe.com

rainbowhillsswimclub.com

crifinmarket.com

ebl-play.net

forceandsonsequipment.com

viagraytqwi.com

latashashop.com

suffocatinglymundanepodcast.com

Targets

- Target
  
  IMG-CMR.xlsx
- Size
  
  2.0MB
- MD5
  
  507d646c9dafa980a1f39c911ed5086a
- SHA1
  
  e90c1561a6f1af214ef41cd1bfc03e8eb774412d
- SHA256
  
  faaeac08804e5737076cfef12e58a3375c8233a477b3f64b0c5ecb9b752954c3
- SHA512
  
  37c7b2ed8d7739c1c24bcde0c56f3a0325eed24a65cf638a88c5a33c05cb332798c5b829f0a4a77e54ecb247dabbad21b3d0e7daba613ccffc7288745ec03ae9
Score

10^/10

formbook evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Blocklisted process makes network request
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookevasionratspywarestealertrojan

behavioral2