formbook | 1337e58c0897622ba8376e5fd758a69392c8a49575777eb345d39a4ac7d1348e | Triage

Sharing

General

Target

Shipment-Receipt-4747474747747-DHL-EXPRESS.vbs
Size

157KB
Sample

240322-h8elnaca3x
MD5

37c7348eb9bdef26b5f45e9e12ff0ddf
SHA1

29e03db1f1c294254fa5af2b162229d37e887aed
SHA256

1337e58c0897622ba8376e5fd758a69392c8a49575777eb345d39a4ac7d1348e
SHA512

d986a4c1a345a08aba50cb36cb232b8a2b91060206409cf269d21905c551e1c6fae8936e67d1daf709c676285ff945b718211512eb93ad348156c2e7f4eee9ee
SSDEEP

3072:OarAcD0SZh/awGqU42RvG+q4xgc3RR+vsZbqXRF1kEcVwJbkd+xCQqV4TgJaSH:P7D0Sn/s42Rvrq4xgc3RR+vYbqXRFtcz

Score

10^/10

formbook fe15 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fe15

Decoy

ivynet.online

luckypermaisuri4d.monster

airoma.top

kp2d.xyz

oliviarosebridal.com

cartelcollectionz.com

qereport.com

radyomdeniz.com

nakedsonproductions.com

hanamasa.xyz

demontimemail.com

shannoncarpenterrealtor.online

jlzjunkremoval.com

key-talent-solutions.com

jaydanne.com

dmstgy.site

rings-32342.bond

gpoixev.online

orabox.shop

carrothong.space

Targets

- Target
  
  Shipment-Receipt-4747474747747-DHL-EXPRESS.vbs
- Size
  
  157KB
- MD5
  
  37c7348eb9bdef26b5f45e9e12ff0ddf
- SHA1
  
  29e03db1f1c294254fa5af2b162229d37e887aed
- SHA256
  
  1337e58c0897622ba8376e5fd758a69392c8a49575777eb345d39a4ac7d1348e
- SHA512
  
  d986a4c1a345a08aba50cb36cb232b8a2b91060206409cf269d21905c551e1c6fae8936e67d1daf709c676285ff945b718211512eb93ad348156c2e7f4eee9ee
- SSDEEP
  
  3072:OarAcD0SZh/awGqU42RvG+q4xgc3RR+vsZbqXRF1kEcVwJbkd+xCQqV4TgJaSH:P7D0Sn/s42Rvrq4xgc3RR+vYbqXRFtcz
Score

10^/10

formbook fe15 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

formbookfe15persistenceratspywarestealertrojan