formbook | 652db7cca4b40cec110b068e3e45362ccb1a7b447986be899848f74d29aef2b4 | Triage

Sharing

General

Target

06fc69fd28e3d6b46f907da67bdcc94b
Size

483KB
Sample

231230-vetjyaaebj
MD5

06fc69fd28e3d6b46f907da67bdcc94b
SHA1

36ba41a3503f193bf729b463be98a27bec207a5a
SHA256

652db7cca4b40cec110b068e3e45362ccb1a7b447986be899848f74d29aef2b4
SHA512

51e1787f31ffa0449c226bc9a6d6820316479abb201da6a36897c1d0622b0b8f02d0d36a68f51218ff89fa2478e309afc6182c39b5a15a4e0d61fec77d44faf8
SSDEEP

6144:rIFhuSYWFYgrKsUc3y2WnO1xzcWmZXe2rkwnbo60T21BOcCSrYDEgfje5ig1ef9C:mh8Mz+sv3y2N1xzAZprkmuN/SD5iKef4

Score

10^/10

formbook ow persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ow

Decoy

piavecaffe.com

jlxkqg.men

lifesavingfoundation.net

karadasama.net

michaeltraolach-macsweeney.com

thunderwatches.com

serviciocasawhirlpool.biz

c-cap.online

itparksolution.com

clarityhearingkw.com

wpgrosiri.date

colemarshalcambell.com

webperffest.com

adjusterforirma.info

buildersqq.com

spiritualwisdominindia.com

111222333.net

traditionalarabicdishes.com

hmlifi.com

receive-our-info-heredaily.info

Targets

- Target
  
  06fc69fd28e3d6b46f907da67bdcc94b
- Size
  
  483KB
- MD5
  
  06fc69fd28e3d6b46f907da67bdcc94b
- SHA1
  
  36ba41a3503f193bf729b463be98a27bec207a5a
- SHA256
  
  652db7cca4b40cec110b068e3e45362ccb1a7b447986be899848f74d29aef2b4
- SHA512
  
  51e1787f31ffa0449c226bc9a6d6820316479abb201da6a36897c1d0622b0b8f02d0d36a68f51218ff89fa2478e309afc6182c39b5a15a4e0d61fec77d44faf8
- SSDEEP
  
  6144:rIFhuSYWFYgrKsUc3y2WnO1xzcWmZXe2rkwnbo60T21BOcCSrYDEgfje5ig1ef9C:mh8Mz+sv3y2N1xzAZprkmuN/SD5iKef4
Score

10^/10

formbook ow persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookowpersistenceratspywarestealertrojan

behavioral2

formbookowpersistenceratspywarestealertrojan