formbook | 3a309abed3acf74bddc68f77af49dba71677d064b136bbd4d53d3e56dfc7b08c | Triage

Submit
Reports

Overview

overview

Static

static

7

5b725efbc8...18.exe

windows7-x64

5b725efbc8...18.exe

windows10-2004-x64

Sharing

General

Target

5b725efbc8903ac1ec1266cebe2b2c73_JaffaCakes118
Size

1.4MB
Sample

240519-zva5rahh2y
MD5

5b725efbc8903ac1ec1266cebe2b2c73
SHA1

d3c89752dc7d05493139350ff9dcd161ffc114c6
SHA256

3a309abed3acf74bddc68f77af49dba71677d064b136bbd4d53d3e56dfc7b08c
SHA512

491c25615050b345bb2335d9bd682574480a513437b134fb4dad6d4066ea5597d532440badfa66f375e325155d6f7975376b4df50db98aac63d616fa9251dad0
SSDEEP

24576:c8AOeN2wWyBFAPspnRw2wZ+0OUkgeHi7YmJXFsoPvWZ:c8uN2wWqiww2DgeHE5Fso3W

Score

10^/10

formbook gx agilenet persistence rat spyware stealer trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

5b725efbc8903ac1ec1266cebe2b2c73_JaffaCakes118.exe

Resource

win7-20240221-en

formbook gx agilenet persistence rat spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

5b725efbc8903ac1ec1266cebe2b2c73_JaffaCakes118.exe

Resource

win10v2004-20240508-en

formbook gx agilenet persistence rat spyware stealer trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

gx

Decoy

arno-mulder.com

mmdlb.com

soiyu.com

congdongcoin.info

cutes.site

tstyleshop.com

fishaways.com

alteryourstate.com

footballchange.info

chieftory.com

minumbers.com

colocius.com

raveltalent.com

lapuphealth.com

engineflooded.com

artesatellitare.com

localpostcardadvertising.com

aebfgk.info

4arip.com

nostalgianerdz.com

weightworks.clinic

myrestaurantmentor.com

menikuya.com

textilitis.com

communityhealthypharmacy.com

ok4pts.com

syoubaihanjyou-tokyo817.com

cashforhomeshamptonrose.com

kipenrib.info

theyogaflo.com

1cq2.win

intim.store

ibelieveinbrazil.com

taks-energie.com

pornurlz.com

hairllowers.com

yourlogi-fit.com

jennifer4erie.com

wholesaleorderplugin.com

addictionadvisor.info

22associates.com

kamotsbeauty.com

charkitt.com

download-quick-archive.download

www139706.com

bemaaultosport.com

01988q.com

iqlife.info

marjoriewilmotte-avocat.com

meegomusic.com

faheyballein.com

nmuas.com

sunnyviewvetcare.com

ss2su.com

yingtuge.com

grimescornpanies.com

0g6fivegive.men

t4z4f7p34y.com

2220027.com

jxck1688.net

bjorn.cloud

japanandbackagain.com

shrinefox.com

weedoid.com

covzin.com

Targets

- Target
  
  5b725efbc8903ac1ec1266cebe2b2c73_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  5b725efbc8903ac1ec1266cebe2b2c73
- SHA1
  
  d3c89752dc7d05493139350ff9dcd161ffc114c6
- SHA256
  
  3a309abed3acf74bddc68f77af49dba71677d064b136bbd4d53d3e56dfc7b08c
- SHA512
  
  491c25615050b345bb2335d9bd682574480a513437b134fb4dad6d4066ea5597d532440badfa66f375e325155d6f7975376b4df50db98aac63d616fa9251dad0
- SSDEEP
  
  24576:c8AOeN2wWyBFAPspnRw2wZ+0OUkgeHi7YmJXFsoPvWZ:c8uN2wWqiww2DgeHE5Fso3W
Score

10^/10

formbook gx agilenet persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookgxagilenetpersistenceratspywarestealertrojan

behavioral2

formbookgxagilenetpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy