formbook

General

Target

0b793ae840102dff93fa1ec0a38bd603.exe
Size

430KB
Sample

230321-sbm7msdf4x
MD5

0b793ae840102dff93fa1ec0a38bd603
SHA1

ac9a73ff2b30557949547e4b1d30fb2a2dd3f06c
SHA256

6ae760d9b669fbcc87fd61647e1904de552f09b6af8d36d48eff89df60b06cd8
SHA512

374a7258257a3735bed3e9aa7c941058388d4411d486077e7e77b3b3be6e2f7d9de1ed4496330c6d472482a84ca156780390faca795e5a926dd8e2b6874d1bb7
SSDEEP

6144:AbUTp1kKX7AB/N0A6SgZUNuhYHOrq9V56lSN0WFOnxMfEa+pvLf+xM+Y:AIFEzDgZUYyurc/2KEa4vLfH

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u34f

Decoy

carpool.bar

badburyparkbakery.co.uk

aigooglebot.com

arihantautogas.com

specmart.online

newschatgpt.net

mmcroberts.com

ativeerrtechnologies.com

pheonix-blog-lomg-1098.com

simplisetup.com

teorikatapublishing.com

stephanyvgrfingle.click

tropicoa.com

isystem.world

tiger-lion.space

mackenziefarms.net

tl8841.buzz

alfabank.credit

lockdaccesactolapqqk.com

directaccesspetroleum.com

Targets

- Target
  
  0b793ae840102dff93fa1ec0a38bd603.exe
- Size
  
  430KB
- MD5
  
  0b793ae840102dff93fa1ec0a38bd603
- SHA1
  
  ac9a73ff2b30557949547e4b1d30fb2a2dd3f06c
- SHA256
  
  6ae760d9b669fbcc87fd61647e1904de552f09b6af8d36d48eff89df60b06cd8
- SHA512
  
  374a7258257a3735bed3e9aa7c941058388d4411d486077e7e77b3b3be6e2f7d9de1ed4496330c6d472482a84ca156780390faca795e5a926dd8e2b6874d1bb7
- SSDEEP
  
  6144:AbUTp1kKX7AB/N0A6SgZUNuhYHOrq9V56lSN0WFOnxMfEa+pvLf+xM+Y:AIFEzDgZUYyurc/2KEa4vLfH
Score

10^/10

formbook guloader u34f discovery downloader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Formbook payload

Checks QEMU agent file

Loads dropped DLL

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2