formbook

General

Target

1b8b300084417155dbdb08b74e8a168cefc888164b3d12b8957b444dd752324c
Size

355KB
Sample

230420-mqqcnahd24
MD5

44f4d3468f49e03d3804673166c14358
SHA1

e9740c50070203f101fb8582d040a68ed42f4407
SHA256

1b8b300084417155dbdb08b74e8a168cefc888164b3d12b8957b444dd752324c
SHA512

8b98bec00537ae55b25fb96c6a146cfd7604f5421043171d69b076004c32c44e514c78c563d49aa8b34ec24b7d5fa6cdc4a5a65a996b95de04a3f903578c8c24
SSDEEP

6144:GT5UzmUrnXJNrFuLNl30sYgKpP1WhC8Jnzf3jHTsdOgDypPpF5kF/62cUoAU2cfk:GT5jcnXJNrFaNs71WhC8Jzf3jzOOgDqU

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

be83

Decoy

woodlandscancercare.org.uk

hosting-delightful.lol

bilpreco.com

diplomk-v-habarovske.com

dzgck.com

jsdappraisals.com

digitalnishant.com

bluevibesgift.com

wowchershoo.co.uk

eudoriaofficial.online

ourcampaign2024.net

barlogcode.com

calmingscents.biz

thewaterfallproject.africa

www-1911.com

cigapp.online

wooddroppers.africa

casmiya.com

haruminailbar.com

drivermindset.com

Targets

- Target
  
  1b8b300084417155dbdb08b74e8a168cefc888164b3d12b8957b444dd752324c
- Size
  
  355KB
- MD5
  
  44f4d3468f49e03d3804673166c14358
- SHA1
  
  e9740c50070203f101fb8582d040a68ed42f4407
- SHA256
  
  1b8b300084417155dbdb08b74e8a168cefc888164b3d12b8957b444dd752324c
- SHA512
  
  8b98bec00537ae55b25fb96c6a146cfd7604f5421043171d69b076004c32c44e514c78c563d49aa8b34ec24b7d5fa6cdc4a5a65a996b95de04a3f903578c8c24
- SSDEEP
  
  6144:GT5UzmUrnXJNrFuLNl30sYgKpP1WhC8Jnzf3jHTsdOgDypPpF5kF/62cUoAU2cfk:GT5jcnXJNrFaNs71WhC8Jzf3jzOOgDqU
Score

10^/10

formbook guloader be83 discovery downloader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Formbook payload

Checks QEMU agent file

Loads dropped DLL

Checks installed software on the system

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2