formbook

General

Target

caafec374594c5b93a986bc31df97f17.exe
Size

402KB
Sample

230718-hzc2gagg89
MD5

caafec374594c5b93a986bc31df97f17
SHA1

8c2e069e2f715e6172492e1009e64009dc8b2558
SHA256

99db3b5192d77a3db297df19db4e486c3af98416b0c023720fa2f3e88d6086cf
SHA512

7384cacada091dc29204c870e33e852d08e39185c09bf96dc1d228b843b368a4833a5912f50d21d5eeb3509dd260e9078f8b3fa868455c1e687c2ea9c2feb122
SSDEEP

6144:NPXoDQpcUz+TfBDma1bXGBZnvjFh64S07Qfy6JdRpNWMv7PW62swd:NWDfhWBJjF6aezNWgPJ8

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ms14

Decoy

adjoinstaff.online

kmmdznky.cfd

keyviewgroup.com

kidomarketing.com

jroxtqpq.cfd

jdevmx.com

genqaagz.cfd

1cdpwp.cfd

francegoldvip.com

2qy218.xyz

peterscanner.com

trullys.com

aniwatch.top

windyhillcnc.com

pokazhu.com

r74jsy.cfd

paulgadgets.com

lindanewtee.com

lasik-de-de-8808230.zone

critone.site

Targets

- Target
  
  caafec374594c5b93a986bc31df97f17.exe
- Size
  
  402KB
- MD5
  
  caafec374594c5b93a986bc31df97f17
- SHA1
  
  8c2e069e2f715e6172492e1009e64009dc8b2558
- SHA256
  
  99db3b5192d77a3db297df19db4e486c3af98416b0c023720fa2f3e88d6086cf
- SHA512
  
  7384cacada091dc29204c870e33e852d08e39185c09bf96dc1d228b843b368a4833a5912f50d21d5eeb3509dd260e9078f8b3fa868455c1e687c2ea9c2feb122
- SSDEEP
  
  6144:NPXoDQpcUz+TfBDma1bXGBZnvjFh64S07Qfy6JdRpNWMv7PW62swd:NWDfhWBJjF6aezNWgPJ8
Score

10^/10

formbook guloader ms14 downloader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Formbook payload

Checks QEMU agent file

Loads dropped DLL

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2