formbook

Sharing

Copy URL

Twitter E-mail

General

Target

671c2e2710c301a026919308026c7865_JaffaCakes118
Size

396KB
Sample

240522-nm6qxada43
MD5

671c2e2710c301a026919308026c7865
SHA1

2b36ae436a477b786d336ecdb36965d0c745843e
SHA256

d451f6bc38ae71eccde50310507a91527714d64bec4aa4cdba613983a75145e1
SHA512

3296dcc9aca95c774eeb4767d7e6665b09ce954f0745cd6d0e020fb3e2eb72f0659488ed9824dd489f7a83326cdf897b9d7ff9f331a9e8b9c8fe8a8d209e7595
SSDEEP

12288:SESMBSEogkFvySfgX5LTzoa61+fn+8ix8SQfBItW:SESMZgvPWUU0x836tW

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

a8c

Decoy

kesslergroupinternational.net

elcarretazo.com

livbim.info

thamxop.net

abitur.expert

cidavidjoy.com

digitalkarwaan.com

hcave.com

foundbyjack.com

servicarpasjc.com

giaotrinh24h.com

ladasno.com

harrisxn.com

bestbtccasinos.info

australianflying.com

louboutinshoes.site

taohaomi.net

s5league-europe.com

lizhongysw.com

imizuspotsboxboxinggym.com

Targets

- Target
  
  671c2e2710c301a026919308026c7865_JaffaCakes118
- Size
  
  396KB
- MD5
  
  671c2e2710c301a026919308026c7865
- SHA1
  
  2b36ae436a477b786d336ecdb36965d0c745843e
- SHA256
  
  d451f6bc38ae71eccde50310507a91527714d64bec4aa4cdba613983a75145e1
- SHA512
  
  3296dcc9aca95c774eeb4767d7e6665b09ce954f0745cd6d0e020fb3e2eb72f0659488ed9824dd489f7a83326cdf897b9d7ff9f331a9e8b9c8fe8a8d209e7595
- SSDEEP
  
  12288:SESMBSEogkFvySfgX5LTzoa61+fn+8ix8SQfBItW:SESMZgvPWUU0x836tW
Score

10^/10

formbook a8c rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $APPDATA/operations/21.opends60.dll
- Size
  
  47B
- MD5
  
  1c61970df4a3bc8759063f67ddd4bc62
- SHA1
  
  dff15cc016a710556e72503f502ee9133106370a
- SHA256
  
  9c1dd7c9174419f2e372135e329dfac0c91bad208e355c47643744c7958cd83f
- SHA512
  
  9c0f2f8a1d67ee151d012d741a65d8e6e190ed01f3a250a796bd8292166827169e38d4558ca905c09ac31cc0b064a3be76b0901f61ca6cf2f33317f909ea2645
Score

1^/10
behavioral3 behavioral4
- Target
  
  $APPDATA/operations/31.opends60.dll
- Size
  
  48B
- MD5
  
  9128287b604b1d7cb52c2a44e531ad12
- SHA1
  
  01e7aa892cd4cb79e48b567aee97123a0928d9e3
- SHA256
  
  aaaacf5a17f1503ad729030575ecd81e98061d62f9628530d649b2af77d4350e
- SHA512
  
  170bf84725b81975ee4c20dfa40a7c84b458af13f484ac2bcc247c3fc334217601a783730e465378be3063098db6d45f7064ac6701ecc6acdc53e3c4c017d126
Score

1^/10
behavioral5 behavioral6
- Target
  
  $APPDATA/operations/32.opends60.dll
- Size
  
  50B
- MD5
  
  0424f415f33b88ce99632f989e01f157
- SHA1
  
  27cb9b8f5c28c878541e76449443951f28247b7a
- SHA256
  
  3d3ea3136179012a71d0abdbab63510eb2d5b4bea94a1ab955368a0c395a4049
- SHA512
  
  22d7505a65ae93e4f7250ab87e7884b1e88ab909a9c9feeb994d3ca062466ee5d2f7fd5dcb0761fb7143421182b3a424e348424edbb2de2dae375b29a2cc2fc1
Score

1^/10
behavioral7 behavioral8
- Target
  
  $APPDATA/operations/63.opends60.dll
- Size
  
  49B
- MD5
  
  b856569dd87788640393ce20050b7dff
- SHA1
  
  78ff482a064cf41cee0fcc74802429279eaec9b2
- SHA256
  
  d8e1df632b0358f4f36c8a1f67eb22d9697e8cf48de634a7d650c34ff1af85e5
- SHA512
  
  caaaae98f9e42f4718e4ac312f59a63109193d50818f1fddcc54f1cfab916edab2d7dc2bf8ae53ccfdf47647a72c4fd221b973fd70fefc47b1082be4e02b32c9
Score

1^/10
behavioral10 behavioral9
- Target
  
  $APPDATA/operations/MicrosoftVsaVb.dll
- Size
  
  7KB
- MD5
  
  c7e1b994c3f732b1c8b4f08881ac4982
- SHA1
  
  1fc521fbefba01af142dc0d677900114cecaaaa2
- SHA256
  
  236ffe70834dbc7805bd717f610702ac78f1abf22c3de7827cca00bd68c534cf
- SHA512
  
  c94d79d372dfeda2dc08477de291754a854bfd395f1b2b4844dff2bed80308cdb7e504ec8ec3e6581046153981a1f4b4b653d7a1dbd70bcd06f78f0f62dfb7db
- SSDEEP
  
  96:vLmJ2tWUGRZO9Vx0vg/a1Dkfrf+hzq8nWn4CykZoiB2xv5hPfEWtNE8WPV:Dk2tWUGRg0IPE6y2B2xPP8WtNE8WN
Score

1^/10
behavioral11 behavioral12
- Target
  
  $APPDATA/operations/vbamnu.dll
- Size
  
  29KB
- MD5
  
  2e8811916b23afa369b0a1584d95086e
- SHA1
  
  6887c697e59766859cc561a751adfda3a9140e63
- SHA256
  
  687db98b6b8cf42dae4c2ea7e50e149c9b79e61bd48d5f806ebc042fb2ed09ad
- SHA512
  
  cca9270aa9782afe5291f17517cb89dce94371003af44824f5a7ed5d7efae7c8ebeac30bd58834d34783ca53fb6507b7556943b4e75bb0b1c22a90cb5b8c97a0
- SSDEEP
  
  384:VIy3T9VTvHyc/x8KmtzFCtoLKaGpQxvwMT5fy0DT1HGMAFZCap6/b/0dD0L6Kq0M:VIycKmtMt8uWp1VtHGPvKMZ0Rq0xxoX
Score

1^/10
behavioral13 behavioral14
- Target
  
  $APPDATA/var/decoder/3.opends60.dll
- Size
  
  281B
- MD5
  
  bb8e4f708b22f64baaaffcd6280a36b6
- SHA1
  
  6d7b48997154866c67111f909d0cc64a39df622d
- SHA256
  
  9f0218be031f2eee28502865f6742f835389286e22d45f1c533b3d4b8f21fe7e
- SHA512
  
  ac4e7e21cb18f40ddb63f1852746daa7dc434d5f8b4e0c5f149ddcbdd2dd4c3e2f828864913e5ce4df8d5bf8ee0cbf8221f06cf763cb42eb36a25c8c390116bb
Score

1^/10
behavioral15 behavioral16
- Target
  
  $APPDATA/var/decoder/VB7TLDUI.dll
- Size
  
  15KB
- MD5
  
  0e492f70d49ed66ff7471d87c59f3489
- SHA1
  
  b35d34c232903f4ff0aa8de5082d1bccdd78cf67
- SHA256
  
  c94c8a2709401aad4a1e59ef412db3c12aff855b85fcdfe635e70b0ea2420aa1
- SHA512
  
  1f796a2c1360a41a7558b57043c09b2ebeef5fdeaab71cc53af0d28d9b467f43d5a6aee9b4adb0f17adee5f1d4458dbe9e374815fe434f8e8c278fe829a909d6
- SSDEEP
  
  192:laUmA3jzxOnLkv6N3Xz6vrkonZCwnRDcWWqf7L/CldolMvMjGwPgMvws+ebMNOk9:AncYD6LIwnVcWjTLCcY+wCbsOc9j
Score

1^/10
behavioral17 behavioral18
- Target
  
  $APPDATA/var/decoder/msdatasrc.dll
- Size
  
  4KB
- MD5
  
  8e79ba0e04148e7709c75d8838d03e3f
- SHA1
  
  6535f7e9c71856ced16a73de3462330b0544af05
- SHA256
  
  23589e0651406e957d684d0af036e718e155500fc9498b0916d294509dfecc2c
- SHA512
  
  fd22a45d13bc757eec6bda780fd98ab2fec35bd01478138483ed6bb7b3fcff0b4f5693754050b597114d897e3ca785579f61a44a3b54eb14717130999ce9d0d9
Score

1^/10
behavioral19 behavioral20
- Target
  
  $APPDATA/var/decoder/msdnmui.dll
- Size
  
  29KB
- MD5
  
  f217fe7e8cbbebc61930bd60cfaea1e9
- SHA1
  
  18532b33579033f04b661a196d4ad5c0887f3736
- SHA256
  
  8638015b2bbc5b04029749aeb78e14521b5928737ca5e03bbcc2c0ec1a47f6cf
- SHA512
  
  b1633fe45c85f0e63fd0f293a3f71a80f6a8f059fbb3e1d17feac1ea7e5fce5d5d08207f08a163dd4543228556570e9a0bf06f34ca73f17ef9efa60f5fd3059c
- SSDEEP
  
  768:A/MAM30cf+Mj4fIzdODwDp1Y94nqiRyW82CLorT:QHel+MFKEpqUqiYWBOq
Score

1^/10
behavioral21 behavioral22
- Target
  
  $TEMP/Kinematograph.dll
- Size
  
  68KB
- MD5
  
  691ec4e437e2d8d03f7994757ecb37fd
- SHA1
  
  1d0569a79e78e17d16a2a1521c1cae9660d5aa4b
- SHA256
  
  14254882a6ca827e5107a6b0c91e7e58c50a42578e901b9aa0c3bcfd167618f6
- SHA512
  
  07850678b8157178987352ccbe4ba5caea7c46fb0927cf7f5a500c67916357861f1d85cfd2d9d83523d783d3d85684daf872eb0119b6081532ef9c5d2c95ea64
- SSDEEP
  
  1536:wK8RaeYpRBjuIYm1aXAtYLUOPVT7xvf/h:jRlpqXAtA7xH/h
Score

1^/10
behavioral23 behavioral24
- Target
  
  $TEMP/boondocks.exe
- Size
  
  48KB
- MD5
  
  f2c010efa41b7f7964f3f7c33d274d2c
- SHA1
  
  0fa34299cf3cae1f97ce61616481b268fc2d61a4
- SHA256
  
  1c79fad4da54e50dc05a2ef8b04e650e02dd9e42188aadfd834e64e85c693af0
- SHA512
  
  722a515ebbba7d381b3630f4696352377274a02e804e465900eaad32099c57ce89fb9703444372ac5c97f75ca387e906cd51000ed3aa1fa85606024e41eac3ae
- SSDEEP
  
  768:I+R6xxPZE++fy7Hm9qkYonPWvbD+z4Et7:ie+C9q0nPZ9t7
Score

10^/10

formbook a8c rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  $TEMP/customcode/67.opends60.dll
- Size
  
  47B
- MD5
  
  e4e4f671bde80749ea2eb465fda2568d
- SHA1
  
  5ca98566b46e8bc5538399cb05f85a8f41dde61f
- SHA256
  
  82f834504f7c6fce706e28083e8a93f52a61a84918b0cdcbdc0b1a70b505b1d1
- SHA512
  
  61e8ced4ee21ced48f0d4fbcce3ccc35546dbafb6b6c63a73503205740830ba11452e44a668aee123f72a1c75499b5f9a270e85b56bf782ea79a4d695eedaa08
Score

1^/10
behavioral27 behavioral28
- Target
  
  $TEMP/customcode/Culture.dll
- Size
  
  17KB
- MD5
  
  ad060608376e3195b4545928f43653d8
- SHA1
  
  33ea2c0efcff013562827b2eafa29e0e2ce2f4d2
- SHA256
  
  0fd01b0b8c8933af2518e813da69b16a5d60a41f86061732e24fa76cfa9a38ba
- SHA512
  
  2c11620bff86974f52bfe1facc9106c4b43c45e2b607bdd184d2f2d2066fdb3f6edd301b27de898351b5109f10d6b18377ef432ddde66c18ba60d68f4073491e
- SSDEEP
  
  384:tAseglikMIFYuGzqdQcKV46JWcURKIEWscvwyD:t75FY6dFKmRh
Score

1^/10
behavioral29 behavioral30
- Target
  
  $TEMP/customcode/MicrosoftDataConnectionUI.dll
- Size
  
  6KB
- MD5
  
  c888c20a2c50affc48077ccfac95b312
- SHA1
  
  ed32ec730e6fbec1c793cfb37eda6dd99186b1f0
- SHA256
  
  654a349cf86818b3f63961e4de0116b8d71076e4d815341ef86390fdb26c7503
- SHA512
  
  d7e38a761afa7a5b3fb9e8fbc8641786d14528a0f03de00384018dc79fba58eb82c4949899f0df4d9cfe1bc55546640ce4f79cdaf82f5d4116f9cb94a0ec1499
- SSDEEP
  
  96:/vANKu00tiegYfG0Wq35Bxv5/D3KrD18gRhEWrrNNZWPV:wNKu17fC05BxBgMWrrNNZWN
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Formbook

Formbook payload

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32