formbook | c7f39ffbd4188672e93a467304577000e255f966d2091f4806670af666c115d1 | Triage

Sharing

General

Target

6f3d8e69382cd63205b00eeccfd7b839_JaffaCakes118
Size

390KB
Sample

240524-vrlpvsdd65
MD5

6f3d8e69382cd63205b00eeccfd7b839
SHA1

11308a10ba3c89fe09565bd21a944f0c68422536
SHA256

c7f39ffbd4188672e93a467304577000e255f966d2091f4806670af666c115d1
SHA512

19b0bccb5c34004cca30c0c2fa5094919938ae1822f3a28a1e9d7f7279c51add0ed442044959677deae5755e52f566ff49f6cae2ab599a84a0deee6e2971e7f1
SSDEEP

6144:LV9uiLsgC1q8zwjuWyv1Gsi49ach+yKRS0RhfoWkN8fQ1sTxlknLpbNNdTKhoP:LfsrzDMs99a3nhgWs/sxlknLpJ6CP

Score

10^/10

formbook dmr persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dmr

Decoy

thietkewebngay.com

fdgre.com

silverbuzzer.com

d55105.com

ccc693.com

diptya.net

oleasalon.com

vjvtjkic.biz

edmsociety.com

siyahmaske.win

lmnp-occasion.com

platocosmos.com

fakua.top

albertabarricade.com

kakaninrecipes.com

bestsmokeapp.com

hotelsitaly.online

brewtopiaapp.com

1q1twoother.men

wwwmaharashtratimes.com

Targets

- Target
  
  10-2.exe
- Size
  
  404KB
- MD5
  
  54cce75f58836bcdaf4dd29dbe7312ee
- SHA1
  
  cdbb64c652e2033fc3f17297fcfb3af0689503cf
- SHA256
  
  2d8af025841b523076a35926b94baa786ffbcb5dcf873796ca30bc41f892a867
- SHA512
  
  5162f24bdefc7cb915caf51c930672cb3d2a67725c81a1b0e62c51895aabdc8ea53d01a512fdeeaaba7d20281a7a2bbfa14ee3e2379c06687417340adc816e34
- SSDEEP
  
  12288:ggD4fqRBdy4r3XyMb6U0tppCGfksVGB6dbQW+M2WUKn:gAfdNXPmKvjYdbd+M
Score

10^/10

formbook dmr rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookdmrratspywarestealertrojan

behavioral2

formbookdmrpersistenceratspywarestealertrojan