formbook

General

Target

Ziraat Bankasi Swift Mesaji.exe
Size

161KB
Sample

230718-hbrvqagf69
MD5

802b5fe7efa993985e56f6636c0c8cca
SHA1

e53a075410bfa5d505ea6663e2b04adf3dd7ef09
SHA256

8349d0c4d9914eeb0d1619a23d5bfe062d00f94e64883483d12b0054d27ac376
SHA512

14f06896f8e264bd05e18ddf5d1551a3ec8cc0da40ea84448c9f0ae3d9ec094c5b7f11157e9444455f04c49c15443005e870de3cef8b182ca5e4041125baed84
SSDEEP

3072:+NzPHk9MpcQbhPjOKlkITN9lgNZXOXcSdfcLP66o3DuxDgKbxjVvdEd63Q21zo+y:+hRFh757TmcNfa2zgDgKdVCQhy

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

my26

Decoy

hqe0aw.cfd

kompromat1.life

cruises-62138.bond

servru.fun

019469.com

nelcorgold.com

tscauknf2.com

satset5.shop

kraflex.net

indoxl.city

jcm-54.com

wantedleds.shop

vzuqiiud.cfd

filipe.works

vistservice.online

bjnyfjef.cfd

thegolffund.com

hadyjayapropertindo.com

passionalchemy.com

k9eiow.cfd

Targets

- Target
  
  Ziraat Bankasi Swift Mesaji.exe
- Size
  
  161KB
- MD5
  
  802b5fe7efa993985e56f6636c0c8cca
- SHA1
  
  e53a075410bfa5d505ea6663e2b04adf3dd7ef09
- SHA256
  
  8349d0c4d9914eeb0d1619a23d5bfe062d00f94e64883483d12b0054d27ac376
- SHA512
  
  14f06896f8e264bd05e18ddf5d1551a3ec8cc0da40ea84448c9f0ae3d9ec094c5b7f11157e9444455f04c49c15443005e870de3cef8b182ca5e4041125baed84
- SSDEEP
  
  3072:+NzPHk9MpcQbhPjOKlkITN9lgNZXOXcSdfcLP66o3DuxDgKbxjVvdEd63Q21zo+y:+hRFh757TmcNfa2zgDgKdVCQhy
Score

10^/10

formbook my26 discovery rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Checks QEMU agent file

Loads dropped DLL

Checks installed software on the system

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2