formbook | 59cac9b1189513625b6c5120705b8b6e82e58ce3be175bba8a21eb95df4fae17 | Triage

Sharing

General

Target

59cac9b1189513625b6c5120705b8b6e82e58ce3be175bba8a21eb95df4fae17
Size

880KB
Sample

220724-dbmhsacdh8
MD5

0ee80d0102f39d5e2a0022711e5af9ff
SHA1

6fef626f54a96a7b5525d81391f651ecee824b96
SHA256

59cac9b1189513625b6c5120705b8b6e82e58ce3be175bba8a21eb95df4fae17
SHA512

717f3cfa4a6a8b357853a668980d7adba7a7b0a2e36cb2b58fd3f88ecb9aee4ed77582ac755f33becd765d314f1f5467b62929c0c97dd2be35ec1e0634ed41ac

Score

10^/10

formbook se collection rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.dobigmail.com
Port:
587
Username:
[email protected]
Password:
Cuscargo123+

Extracted

Family

formbook

Version

3.9

Campaign

se

Decoy

ro-organic.com

techjobsmn.net

vandanet.net

huikuaida.com

wenfengbag.com

coolcloudhvac.company

vikenfa.com

espscienceandeducation.com

lianchuangsk.com

xiktv.com

cuncunle.ltd

mycouturelab.com

flexitllc.com

malesco.com

siteiby.com

clonemovie.com

fx-ssc.com

beautyllbeholder.com

setgaraj.com

architectjd.com

Targets

- Target
  
  59cac9b1189513625b6c5120705b8b6e82e58ce3be175bba8a21eb95df4fae17
- Size
  
  880KB
- MD5
  
  0ee80d0102f39d5e2a0022711e5af9ff
- SHA1
  
  6fef626f54a96a7b5525d81391f651ecee824b96
- SHA256
  
  59cac9b1189513625b6c5120705b8b6e82e58ce3be175bba8a21eb95df4fae17
- SHA512
  
  717f3cfa4a6a8b357853a668980d7adba7a7b0a2e36cb2b58fd3f88ecb9aee4ed77582ac755f33becd765d314f1f5467b62929c0c97dd2be35ec1e0634ed41ac
Score

10^/10

formbook se collection rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooksecollectionratspywarestealertrojan

behavioral2

formbooksecollectionratspywarestealertrojan