formbook

General

Target

98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86
Size

683KB
Sample

230505-p1xwlace4w
MD5

0c09691b8316208374f1bea0ed9cba4c
SHA1

d1d3c4b5bfa402e019ae022b7302be255c16ef7b
SHA256

98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86
SHA512

029d915acae1dff35eade01dc69f5835ef341776a2df9645de233dd7e858f66e309b8d7e31c20c30c55a2f5fdb29fe9928040a600543550d414fac70bc74324c
SSDEEP

12288:QqECucXU4xRUFWC/AMby6OnKjNR5QKRL0NWj9MoEzf:ACucEaUFWC/12xyTQKSoBMDb

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ks01

Decoy

glchqx.com

acpwatertreatment.co.uk

hannahschepmann.com

cvcv49.top

crazy-for-promotion.online

goldstreamacademy.africa

erasure.monster

judiangka.boats

fli.group

94ebuy.com

enjoyvet.com

box618.shop

formdr.dev

rivierabathrooms.co.uk

drawntocolour.com

digitalworldobserver.com

lonelinessindex.com

coachifyfunnels.com

abeloewen.com

bahujan.store

Targets

- Target
  
  98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86
- Size
  
  683KB
- MD5
  
  0c09691b8316208374f1bea0ed9cba4c
- SHA1
  
  d1d3c4b5bfa402e019ae022b7302be255c16ef7b
- SHA256
  
  98e96c2ccc5c125d947804851df65f324db5d8bedcd60d19f6bea9ed44252e86
- SHA512
  
  029d915acae1dff35eade01dc69f5835ef341776a2df9645de233dd7e858f66e309b8d7e31c20c30c55a2f5fdb29fe9928040a600543550d414fac70bc74324c
- SSDEEP
  
  12288:QqECucXU4xRUFWC/AMby6OnKjNR5QKRL0NWj9MoEzf:ACucEaUFWC/12xyTQKSoBMDb
Score

10^/10

formbook guloader ks01 discovery downloader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Formbook payload

Checks QEMU agent file

Loads dropped DLL

Checks installed software on the system

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2