formbook | 598667091482e960508b94f2f46f6a6895afe071f3e37cd27cb4989865c2ee86 | Triage

Sharing

General

Target

f4891c4b2d5d817c50477bb8fa11c0a4_JaffaCakes118
Size

477KB
Sample

240416-26rmzsgf9w
MD5

f4891c4b2d5d817c50477bb8fa11c0a4
SHA1

ce348c1ffa3a29ae6d318d9ab1f3fdede334e24a
SHA256

598667091482e960508b94f2f46f6a6895afe071f3e37cd27cb4989865c2ee86
SHA512

a545659229b733c74c7f402bcca6fe037ca53d11f4f07a2b62938474d2c22a5a9be77348967fb3a06ef6cd28dfd0da420b129a8c80d526e176c7d907c76f075e
SSDEEP

6144:5JzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbhI:5JY1ja4qQ+rcbFudkuN/S/1MSSPQcHKa

Score

10^/10

formbook fr persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

fr

Decoy

geturstuff.life

kisakollections.com

bkipmtahuna.com

aoxou.com

thebigandfreeupdates.download

utvtribe.com

icontoken.com

naturexperience.com

h2sentertainmentcafe.com

careerproresumepa.com

franchiseindia.directory

psychouniversity.com

traveng.com

mylifestylebyclem.com

greentmraelty.com

imoneg.com

lupusrebelacademy.com

ghqxc.info

lylulidbd.com

dalfreestyle.com

Targets

- Target
  
  f4891c4b2d5d817c50477bb8fa11c0a4_JaffaCakes118
- Size
  
  477KB
- MD5
  
  f4891c4b2d5d817c50477bb8fa11c0a4
- SHA1
  
  ce348c1ffa3a29ae6d318d9ab1f3fdede334e24a
- SHA256
  
  598667091482e960508b94f2f46f6a6895afe071f3e37cd27cb4989865c2ee86
- SHA512
  
  a545659229b733c74c7f402bcca6fe037ca53d11f4f07a2b62938474d2c22a5a9be77348967fb3a06ef6cd28dfd0da420b129a8c80d526e176c7d907c76f075e
- SSDEEP
  
  6144:5JzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbhI:5JY1ja4qQ+rcbFudkuN/S/1MSSPQcHKa
Score

10^/10

formbook fr persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookfrpersistenceratspywarestealertrojan

behavioral2

formbookfrpersistenceratspywarestealertrojan