formbook | 3a309abed3acf74bddc68f77af49dba71677d064b136bbd4d53d3e56dfc7b08c | Triage

Sharing

General

Target

5b725efbc8903ac1ec1266cebe2b2c73_JaffaCakes118
Size

1.4MB
Sample

240519-zva5rahh2y
MD5

5b725efbc8903ac1ec1266cebe2b2c73
SHA1

d3c89752dc7d05493139350ff9dcd161ffc114c6
SHA256

3a309abed3acf74bddc68f77af49dba71677d064b136bbd4d53d3e56dfc7b08c
SHA512

491c25615050b345bb2335d9bd682574480a513437b134fb4dad6d4066ea5597d532440badfa66f375e325155d6f7975376b4df50db98aac63d616fa9251dad0
SSDEEP

24576:c8AOeN2wWyBFAPspnRw2wZ+0OUkgeHi7YmJXFsoPvWZ:c8uN2wWqiww2DgeHE5Fso3W

Score

10^/10

formbook gx agilenet persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

gx

Decoy

arno-mulder.com

mmdlb.com

soiyu.com

congdongcoin.info

cutes.site

tstyleshop.com

fishaways.com

alteryourstate.com

footballchange.info

chieftory.com

minumbers.com

colocius.com

raveltalent.com

lapuphealth.com

engineflooded.com

artesatellitare.com

localpostcardadvertising.com

aebfgk.info

4arip.com

nostalgianerdz.com

Targets

- Target
  
  5b725efbc8903ac1ec1266cebe2b2c73_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  5b725efbc8903ac1ec1266cebe2b2c73
- SHA1
  
  d3c89752dc7d05493139350ff9dcd161ffc114c6
- SHA256
  
  3a309abed3acf74bddc68f77af49dba71677d064b136bbd4d53d3e56dfc7b08c
- SHA512
  
  491c25615050b345bb2335d9bd682574480a513437b134fb4dad6d4066ea5597d532440badfa66f375e325155d6f7975376b4df50db98aac63d616fa9251dad0
- SSDEEP
  
  24576:c8AOeN2wWyBFAPspnRw2wZ+0OUkgeHi7YmJXFsoPvWZ:c8uN2wWqiww2DgeHE5Fso3W
Score

10^/10

formbook gx agilenet persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookgxagilenetpersistenceratspywarestealertrojan

behavioral2

formbookgxagilenetpersistenceratspywarestealertrojan