formbook

General

Target

Shipment Document BL,INV and packing list.jpg.ace
Size

190KB
Sample

221027-nvkhmscaa3
MD5

432b71470c9c428dafb9bbe4aff7f043
SHA1

c4cc85c90067d0401a4a3bbf69cc2c5fb79a9d55
SHA256

b20f21ae03c89db71ee631ee00a03d45de97a3c15e6045d75bc045cd7e3b5c6a
SHA512

60605431d4c082e3abdfd8ef4c54eabb76624b117fd499a99601150a7d4d730874e79bd8e23645be794e39e10e38ac30f3325bcce54ab21f055887e87a688f46
SSDEEP

3072:NdZxywLo3yMDAAGEzzhd4egV6psjvaemFXNCuhq4LGYofQQqBS6dlksEmLgyqROq:Jx5LovAAGkzD4RJOFXNPq4Po4QLCEIgF

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d06c

Decoy

douglasdetoledopiza.com

yxcc.online

primo.llc

mediamomos.com

cosmetiq-pro.com

22labs.tech

turbowashing.com

lindaivell.site

princess-bed.club

groundget.cfd

agretaminiousa.com

lomoni.com

nessesse.us

lexgo.cloud

halilsener.xyz

kirokubo.cloud

corotip.sbs

meghq.net

5y6s.world

weasib.online

Targets

- Target
  
  Shipment Document BL,INV and packing list.jpg.exe
- Size
  
  323KB
- MD5
  
  858a0b8a0c24df21ce22f3ff702a3737
- SHA1
  
  f285429ebe2a75c143abe1fd579c979122c6afe0
- SHA256
  
  88819addd430324a7461bdf59c1ab994bc613bb2b17f09e572b7ba1c0c47e6f9
- SHA512
  
  cfdab69ebe17d666b05a399c935a28f411a9bc1a5c014dd1fa533043992b7a947d6417982011b9fabc76c21d2d294d6384a2157580fc30b4ef46e53eb0c57ca7
- SSDEEP
  
  6144:/6dbOGzzzzzzzzzzzzzzzzzzzzzzzzzzzzkzTzzzzzzQtkauL/sVfEBlUbrQ2Inh:itka2UbrQlZI/JTV6V7KAF
Score

10^/10

discovery formbook d06c rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Checks QEMU agent file

Loads dropped DLL

Checks installed software on the system

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2