formbook | 3d15b7b4e8f1561e4cd2f2657d2f088373000d4ab895bab86fa14a6580d2c453 | Triage

Sharing

General

Target

72dc059fe06ff8998f3fac66dbf7f68c
Size

483KB
Sample

240124-zy2f4shbgk
MD5

72dc059fe06ff8998f3fac66dbf7f68c
SHA1

fa12804d841d8b9cd813c6090d1781343f78932d
SHA256

3d15b7b4e8f1561e4cd2f2657d2f088373000d4ab895bab86fa14a6580d2c453
SHA512

a8294b806f5ed52df724dbbe6269467351ca78db5ca35871b9d95d914e6eeae72bc82e1cbf608dafc1afcda3d5c1d73471c49a20efe9ff02765ce5ef186d5bc3
SSDEEP

6144:7IFhuSYWFYgrKsUc3y2WnO1xzcWmZXe2rkwnbo60T21BOcCSrYDEgfje5ig1ef9R:Wh8Mz+sv3y2N1xzAZprkmuN/SD5iKefr

Score

10^/10

formbook ow persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ow

Decoy

piavecaffe.com

jlxkqg.men

lifesavingfoundation.net

karadasama.net

michaeltraolach-macsweeney.com

thunderwatches.com

serviciocasawhirlpool.biz

c-cap.online

itparksolution.com

clarityhearingkw.com

wpgrosiri.date

colemarshalcambell.com

webperffest.com

adjusterforirma.info

buildersqq.com

spiritualwisdominindia.com

111222333.net

traditionalarabicdishes.com

hmlifi.com

receive-our-info-heredaily.info

Targets

- Target
  
  72dc059fe06ff8998f3fac66dbf7f68c
- Size
  
  483KB
- MD5
  
  72dc059fe06ff8998f3fac66dbf7f68c
- SHA1
  
  fa12804d841d8b9cd813c6090d1781343f78932d
- SHA256
  
  3d15b7b4e8f1561e4cd2f2657d2f088373000d4ab895bab86fa14a6580d2c453
- SHA512
  
  a8294b806f5ed52df724dbbe6269467351ca78db5ca35871b9d95d914e6eeae72bc82e1cbf608dafc1afcda3d5c1d73471c49a20efe9ff02765ce5ef186d5bc3
- SSDEEP
  
  6144:7IFhuSYWFYgrKsUc3y2WnO1xzcWmZXe2rkwnbo60T21BOcCSrYDEgfje5ig1ef9R:Wh8Mz+sv3y2N1xzAZprkmuN/SD5iKefr
Score

10^/10

formbook ow persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookowpersistenceratspywarestealertrojan

behavioral2

formbookowpersistenceratspywarestealertrojan