formbook | c90168203989a5d0e8a10cbb0753d83efad01793b94fd6480701059df2529d4f | Triage

Sharing

General

Target

822bfd7e6b9a02844e5b52fdc971bcdd_JaffaCakes118
Size

14KB
Sample

240529-2fzwnsdb87
MD5

822bfd7e6b9a02844e5b52fdc971bcdd
SHA1

a66315e4bc32830158549601eb8c02d89e616bad
SHA256

c90168203989a5d0e8a10cbb0753d83efad01793b94fd6480701059df2529d4f
SHA512

8b3d33b04f09388e9e7ca8b4c5138249e109780e318f002ef87b8f36ab9d441a85bf6270b2885d33dfe93bde8f027512311871aedbea9e738544faf162e50b7f
SSDEEP

192:W1UugtKtPRaEdxKYRrRbZxh+F1lZ48CAZ8Ll6t+6PzKrd0As+2Dnznz3s34rbxgp:WZhRMF1DHOUrK5z6XI4r1gIG

Score

10^/10

formbook ysl persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ysl

Decoy

descansosnm.com

ciastaniespodzianka.store

jeeugae.com

cleanfunnies.com

gaywelove.com

setecandeeiroscaja.com

lacafe.rest

fuyujen.com

hit-community.com

docusharego.com

urquell-energie-code.com

pattycordeiro.com

40momentive.com

hydrogengascars.com

focusdekalb.com

sandiegorealestate.report

agence-comy.com

wgtseguros.com

bajajloangroup.com

securefedegestion.com

Targets

- Target
  
  822bfd7e6b9a02844e5b52fdc971bcdd_JaffaCakes118
- Size
  
  14KB
- MD5
  
  822bfd7e6b9a02844e5b52fdc971bcdd
- SHA1
  
  a66315e4bc32830158549601eb8c02d89e616bad
- SHA256
  
  c90168203989a5d0e8a10cbb0753d83efad01793b94fd6480701059df2529d4f
- SHA512
  
  8b3d33b04f09388e9e7ca8b4c5138249e109780e318f002ef87b8f36ab9d441a85bf6270b2885d33dfe93bde8f027512311871aedbea9e738544faf162e50b7f
- SSDEEP
  
  192:W1UugtKtPRaEdxKYRrRbZxh+F1lZ48CAZ8Ll6t+6PzKrd0As+2Dnznz3s34rbxgp:WZhRMF1DHOUrK5z6XI4r1gIG
Score

10^/10

formbook ysl persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Modifies WinLogon for persistence
  persistence
- Formbook payload
  rat
- Drops startup file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookyslpersistenceratspywarestealertrojan