formbook | c222b07df99688f8ba5c35ce475d970b9fd0597420061d42707b553d00c788aa | Triage

Sharing

General

Target

444d3df9a20c68281353a091f76428e3_JaffaCakes118
Size

485KB
Sample

240515-dpvrbaed7z
MD5

444d3df9a20c68281353a091f76428e3
SHA1

b8659dab04ea1120bc696a1ee43b5d3022f830a5
SHA256

c222b07df99688f8ba5c35ce475d970b9fd0597420061d42707b553d00c788aa
SHA512

34556cf1a8ef045f8ae76f5d81216cae4748f51d3ecf81a12e2799c7ee4705457e47c5755c26bb40f296a27e7ad088c703d899bab8472f409b9b28b83ee6f1d7
SSDEEP

12288:IJzuW1RElKHFrTzh4NnsGvyrTOEEF1TQEULvz/:czuyElmlTMshrTC/kEULvD

Score

10^/10

formbook um agilenet persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

um

Decoy

tophandbagmart.com

indycabinetconnection.com

lastmonthsnews.com

schoolofgeneius.com

talkingtoms.com

pleasefixmyheat.com

nvdough.com

tauruslegal.com

designercoverscustom.com

clubdevfun.com

pourpop.com

republiccreditcoin.com

nmochat.com

techpriors.com

apartmentsomr.com

edjamesjones.com

hxtfgs.com

betturka.media

organicwaisttrainingcorset.com

foxtrotfilm.com

Targets

- Target
  
  444d3df9a20c68281353a091f76428e3_JaffaCakes118
- Size
  
  485KB
- MD5
  
  444d3df9a20c68281353a091f76428e3
- SHA1
  
  b8659dab04ea1120bc696a1ee43b5d3022f830a5
- SHA256
  
  c222b07df99688f8ba5c35ce475d970b9fd0597420061d42707b553d00c788aa
- SHA512
  
  34556cf1a8ef045f8ae76f5d81216cae4748f51d3ecf81a12e2799c7ee4705457e47c5755c26bb40f296a27e7ad088c703d899bab8472f409b9b28b83ee6f1d7
- SSDEEP
  
  12288:IJzuW1RElKHFrTzh4NnsGvyrTOEEF1TQEULvz/:czuyElmlTMshrTC/kEULvD
Score

10^/10

formbook um agilenet rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookumagilenetratspywarestealertrojan

behavioral2

formbookumagilenetpersistenceratspywarestealertrojan