formbook | 6e521645df736e76b57cdf6996cee4a5148e649cee75be8f36ccfb008f047fa6 | Triage

Sharing

General

Target

18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118
Size

424KB
Sample

240505-vbypgsad87
MD5

18882465f8b6e72a46669d4aa2e78cb1
SHA1

b05a070b6c3fec5330d1413594a4b17b19099a02
SHA256

6e521645df736e76b57cdf6996cee4a5148e649cee75be8f36ccfb008f047fa6
SHA512

388e34cfc7a43a062e0c389611036b7953a99d4def7699852d875c2fcdc7c6a79205d85fa128aae9d48d9c37888d60611390640086a7e7a3e4b0e38173964e44
SSDEEP

6144:6N9JYSDAzaiTCXkJNlMgpV5Nj3QmlsPt5GM/x1lPWojLWYM+6LpfeR14Kn3r/u/t:67RAzTukj/Nj5OlzW3ppWbhn3TcWId

Score

10^/10

formbook h308 agilenet persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h308

Decoy

sewrelax.com

southbaycurling.rocks

hongju101.com

nikkismithonline.com

bluprl.net

slursthisshark.com

smootord.com

buyoregonhemp.com

stepstolight.com

mchausverwalter.com

cofidis.cloud

queenartjewellery.com

samoedrasalvageengineers.com

skull.ltd

leapmotors.net

gayo.ltd

philborremans.com

yeezywaverunner700.com

febriananas.com

railor-music.com

Targets

- Target
  
  18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118
- Size
  
  424KB
- MD5
  
  18882465f8b6e72a46669d4aa2e78cb1
- SHA1
  
  b05a070b6c3fec5330d1413594a4b17b19099a02
- SHA256
  
  6e521645df736e76b57cdf6996cee4a5148e649cee75be8f36ccfb008f047fa6
- SHA512
  
  388e34cfc7a43a062e0c389611036b7953a99d4def7699852d875c2fcdc7c6a79205d85fa128aae9d48d9c37888d60611390640086a7e7a3e4b0e38173964e44
- SSDEEP
  
  6144:6N9JYSDAzaiTCXkJNlMgpV5Nj3QmlsPt5GM/x1lPWojLWYM+6LpfeR14Kn3r/u/t:67RAzTukj/Nj5OlzW3ppWbhn3TcWId
Score

10^/10

agilenet formbook h308 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

formbookh308agilenetpersistenceratspywarestealertrojan