formbook

General

Target

LIST.exe
Size

449KB
Sample

230209-r2hjeaga4t
MD5

d74fd6ed07181f2d8c67708af84a0342
SHA1

8a564e7c684069e6ab5f72faa1a7fc5e25985cd9
SHA256

8214fef9e3cba373f5c92b48fe8535760e67cad89abdf07a7d60f69b2c37a018
SHA512

be1377559ed86fd9bdd82a754b2b1b33bdb4acf5216f142ebdb950180ed5041f41b2ebd1b0746d30dc6014220ecf2ec9c73294e3e86a17028efaeb4830167f02
SSDEEP

6144:qp0+DpuPJFjJYILWt3NwuLk5TvTobml6n6HOxLNoQyhocxiDLW9M:qwFjJnKlNwuArobmljULUXxiDLiM

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gr05

Decoy

companysyuanarea.com

brightssidefinancial.com

macrotek.co.uk

k8stestsite.com

arabaticareti.com

ixsmir2imi.net

harmoniouspsicologia.com

feelingfitandfabulous.co.uk

chaudharyramkumar.com

centerstage280.com

barbarianhealth.com

conviveum.com

cookitproductions.com

chooseyupei.com

gofraud-netusa.com

nppaf.africa

fouchpur.com

celticjewelryireland.com

gfaxtp.xyz

kupinaklik.net

Targets

- Target
  
  LIST.exe
- Size
  
  449KB
- MD5
  
  d74fd6ed07181f2d8c67708af84a0342
- SHA1
  
  8a564e7c684069e6ab5f72faa1a7fc5e25985cd9
- SHA256
  
  8214fef9e3cba373f5c92b48fe8535760e67cad89abdf07a7d60f69b2c37a018
- SHA512
  
  be1377559ed86fd9bdd82a754b2b1b33bdb4acf5216f142ebdb950180ed5041f41b2ebd1b0746d30dc6014220ecf2ec9c73294e3e86a17028efaeb4830167f02
- SSDEEP
  
  6144:qp0+DpuPJFjJYILWt3NwuLk5TvTobml6n6HOxLNoQyhocxiDLW9M:qwFjJnKlNwuArobmljULUXxiDLiM
Score

10^/10

discovery formbook guloader gr05 downloader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Formbook payload

Checks QEMU agent file

Loads dropped DLL

Checks installed software on the system

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2