formbook

General

Target

tmp
Size

915KB
Sample

240125-e35n4sgba4
MD5

c51050da2c94bbb62c6d2c51862b15dd
SHA1

84489f41759b69be75fa13430ba2f78143a857a1
SHA256

f62de2f1a6d9798f4278ab073890c06f8a1027c216d3c02dbc4c84ff84c4ee72
SHA512

9b22c562b3c84c0dce7a9888a227b67d991d4175d82ed2399d1629a216c0df9afc08285af94f06a09238ac896df2e0484d354bac4fab977bb2d3337a5b1521ef
SSDEEP

24576:nJzp/ZBD1bJJReGhyAynCXbwZ4pHzZhrh0Fy1:JVTD1Xhyn0bwZSnh0I

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ce10

Decoy

universalbowls.com

bp5.site

thiagokielingwebdesign.net

grapper.fun

grow-more.us

cqdh888.com

facthunter.app

cstars05.xyz

baumeagency.com

montevallotowing.top

joshtdownes.com

ampvit88.info

timelesscoutureclothing.com

stimuscle.com

uppervillekeyword.top

victoriabaltzer.com

laguindah.art

kiddieboost.com

santafekeyword.top

818experience.com

Targets

- Target
  
  tmp
- Size
  
  915KB
- MD5
  
  c51050da2c94bbb62c6d2c51862b15dd
- SHA1
  
  84489f41759b69be75fa13430ba2f78143a857a1
- SHA256
  
  f62de2f1a6d9798f4278ab073890c06f8a1027c216d3c02dbc4c84ff84c4ee72
- SHA512
  
  9b22c562b3c84c0dce7a9888a227b67d991d4175d82ed2399d1629a216c0df9afc08285af94f06a09238ac896df2e0484d354bac4fab977bb2d3337a5b1521ef
- SSDEEP
  
  24576:nJzp/ZBD1bJJReGhyAynCXbwZ4pHzZhrh0Fy1:JVTD1Xhyn0bwZSnh0I
Score

10^/10

formbook guloader ce10 downloader rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Deletes itself
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  0d7ad4f45dc6f5aa87f606d0331c6901
- SHA1
  
  48df0911f0484cbe2a8cdd5362140b63c41ee457
- SHA256
  
  3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
- SHA512
  
  c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
- SSDEEP
  
  192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score

3^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Formbook payload

Deletes itself

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4