formbook | 557ac01b6da8e2ff8071f4cdb8029df59d3d323a2c5d1b521f56fd458a1ae7e5 | Triage

Sharing

General

Target

5bcb77ed3ad77d4cf723044784f6c10f_JaffaCakes118
Size

468KB
Sample

240519-2bf8rsdf44
MD5

5bcb77ed3ad77d4cf723044784f6c10f
SHA1

874317c4a45b7c742964e2223afe84bfccdffd35
SHA256

557ac01b6da8e2ff8071f4cdb8029df59d3d323a2c5d1b521f56fd458a1ae7e5
SHA512

2814db3317c8358c044c948464a983d13ba8d9c60b0b909cf03bda1d830e390d86e66b89969de2bc7b7a3e1ff37b0ef255458f639f1bcca674599f023a2def1b
SSDEEP

12288:qaaJOnVAbYNOfbj/24X6U7rzUXSvAJIkh2x/:qaiOJOTKC4jOG8/

Score

10^/10

formbook nh persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

nh

Decoy

poipoimikan.site

3day.site

casbahlondonkebab.com

freezingcbd.com

australian-beauty-remedies.com

roschildltd.com

katsuko.coach

ideareputationmanager.com

jfsuwdet.download

interblockyou.company

chuangfu-china.net

katrinhensel.com

faburaa.com

saucenationus.com

metodobrains.net

sexinbielefeld.com

theheartywelcome.com

swissaquashop.com

imhl-zj9h-95gq.biz

linkson.info

Targets

- Target
  
  GMI.CO.,LTD - EWR RefWT9TB5.exe
- Size
  
  637KB
- MD5
  
  6e3d0bd2d2bb6fcc996501895d84fed6
- SHA1
  
  bde3cf4ce6291fa6b0f4a7d828a53860f6d9aa32
- SHA256
  
  f2704785fc1c031804cc3903a319f8ba99bee1e0ea2766332b2aad1fff4f7436
- SHA512
  
  17b9c4c8733fec5368ea2f92bce0f7b2401d4a0a9887181dfa2b6205df5737901dec786ec53d08cbed5caa66e7287828b04fe28443a0e453dbbce957c210861e
- SSDEEP
  
  12288:+DCo5UPqjxu5zc4JV48njwWNLn5b7pLW0Z3EW7Wsv8kixW3pFMcmyuWp7pPmTppO:+2o5UWxuBc8hkuPpLWYEaW0iUuyq8a9
Score

10^/10

formbook nh rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbooknhratspywarestealertrojan

behavioral2

formbooknhpersistenceratspywarestealertrojan