formbook | 672e377a7c28f418630e33e2dd1bb626ebd6705734f4b61a27c3b8584cd1b4c4 | Triage

Sharing

General

Target

54f2410d77080888d7438cd0a9f7a685_JaffaCakes118
Size

229KB
Sample

240518-qrsqysdg48
MD5

54f2410d77080888d7438cd0a9f7a685
SHA1

8fe9888e269e076d05daf3d3f1c08fed4893544a
SHA256

672e377a7c28f418630e33e2dd1bb626ebd6705734f4b61a27c3b8584cd1b4c4
SHA512

c569e00437a59070db024f2af5c177c60908fc099bc87904ded431c72167dcc8a15729822851f63e9a967cdc8a6d0fbd6701feb6641936e3058f59e2fae0d04f
SSDEEP

6144:y3AdpAt0zsbB8EBwylZo9Gvn5vNzYic2epsQNL8nkTEh:m0pqhPjlXc2OsU8kQh

Score

10^/10

formbook o7 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

o7

Decoy

detob.com

disneypanda.win

shawsgroupltd.com

phimdan.com

xn--mbt827f11c9wf.com

smartlifestylechange.com

gposrq.men

dhdba.com

elixir-floral-ischtar.com

swarm4you.info

planet-saving-expert.net

xdancex.com

maqax.com

bn24.news

lebensstil.store

epilcolor.com

louzanfashion.online

natgeocolorwild.info

zemunci.com

xn--qvr67wu7olvg.com

Targets

- Target
  
  SHIPPING_DOC_PL_INV_BL_PDA_005958883_pdf.exe
- Size
  
  310KB
- MD5
  
  22a178e0f16637e45909a3dae9b8d623
- SHA1
  
  3965ecc692c69659bbf7b788060ccbe43b27c9be
- SHA256
  
  c78a0839956fc39357c153f175811edfc50835093387322e4639156ab1aeb701
- SHA512
  
  cbf71fbbaa9817c0ba29bb549590f3e381319ca3bca30c900b3325c141ad8f31ca4ea7b48fdbc9846258a3077005b11e1c56da8fd82bd366d507806f36269d4e
- SSDEEP
  
  6144:gacs8c4h9UYI7c8MWCFVaXAs/jiB1fXzW8Qf4QiiIJw:g68cgUYIY81CXaXAs/eB1/iFb2w
Score

10^/10

formbook o7 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooko7persistenceratspywarestealertrojan

behavioral2

formbooko7persistenceratspywarestealertrojan