formbook | 320dab87aef07c03720923504dd0506f7d3e67de57b0067ebf0694966982db89 | Triage

Sharing

General

Target

INVOICE.exe
Size

725KB
Sample

210510-y5e8ksebnx
MD5

1939130a95b16662cea59b8812f9c505
SHA1

f4103a530615a7c5ae8e712dad07f750ceba9b9a
SHA256

320dab87aef07c03720923504dd0506f7d3e67de57b0067ebf0694966982db89
SHA512

ed6bf56ba3d0883a50641c7f62146b0becd20bf0fefef342ff7afde7855019fe922ced2fd256e6d49eed33095b6b3be02aa524b621fdda203452d69e26b0ae79

Score

10^/10

formbook evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.cheerstogethergifthouse.com/wrcb/

Decoy

tweetbeer.com

bizgrowth.expert

podmir.com

christiankidzhub.com

influencer.care

ido.enterprises

nakedmillion.xyz

nattylinux.net

justbathroomsny.com

luisxe.info

simplecopyshop.com

cometomygame.com

odysseesante.com

stophetcovidvirus.online

laconsultoriadetrafico.com

mediumsusanne.com

sidhusonds.com

nakrutci.com

8939299.com

guarderiajady.com

Targets

- Target
  
  INVOICE.exe
- Size
  
  725KB
- MD5
  
  1939130a95b16662cea59b8812f9c505
- SHA1
  
  f4103a530615a7c5ae8e712dad07f750ceba9b9a
- SHA256
  
  320dab87aef07c03720923504dd0506f7d3e67de57b0067ebf0694966982db89
- SHA512
  
  ed6bf56ba3d0883a50641c7f62146b0becd20bf0fefef342ff7afde7855019fe922ced2fd256e6d49eed33095b6b3be02aa524b621fdda203452d69e26b0ae79
Score

10^/10

formbook evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookevasionratspywarestealertrojan

behavioral2

formbookevasionratspywarestealertrojan