formbook | 1a5f34e73e2e79751dd26d14360430c28bcc98a02c41a1e063ba6f88de477020 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

a412e0810a9f85881db7510435c6c07e_JaffaCakes118
Size

634KB
Sample

240613-gkq44szgnm
MD5

a412e0810a9f85881db7510435c6c07e
SHA1

e04c86f4288a2d2d07fb184e02412df2d7169cad
SHA256

1a5f34e73e2e79751dd26d14360430c28bcc98a02c41a1e063ba6f88de477020
SHA512

1632ec57b79a2323f59d2b6b29b716722240ada5e29edc17efe649728ce11722f096d3bcf8bc7ecc09a133794c4685081797368c8fd85276fc879ca3a2abc69c
SSDEEP

12288:Ob6ah8sqonj0q4i08FuSb7oUYduW/LwmUuNfIy4lE0RReMysGd:5sj0qd0mHbkU+uILwy2mzsG

Score

10^/10

formbook h331 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h331

Decoy

managingcll.info

waszuppglobalcrowdfund.com

digisimcart.com

jiwqubsh.click

mahyiu.men

sueedstack.com

390cwa.info

nickawood.com

milkman.biz

cm7.info

tinsworth.net

upgradediri.com

luxuryhottubcovers.info

bogeku.com

crowdrewardsapp.com

usamillwork.biz

jsqdzz.com

stlclothingcompany.com

1jaysauce.com

dfptf.info

Targets

- Target
  
  a412e0810a9f85881db7510435c6c07e_JaffaCakes118
- Size
  
  634KB
- MD5
  
  a412e0810a9f85881db7510435c6c07e
- SHA1
  
  e04c86f4288a2d2d07fb184e02412df2d7169cad
- SHA256
  
  1a5f34e73e2e79751dd26d14360430c28bcc98a02c41a1e063ba6f88de477020
- SHA512
  
  1632ec57b79a2323f59d2b6b29b716722240ada5e29edc17efe649728ce11722f096d3bcf8bc7ecc09a133794c4685081797368c8fd85276fc879ca3a2abc69c
- SSDEEP
  
  12288:Ob6ah8sqonj0q4i08FuSb7oUYduW/LwmUuNfIy4lE0RReMysGd:5sj0qd0mHbkU+uILwy2mzsG
Score

10^/10

formbook h331 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookh331persistenceratspywarestealertrojan

behavioral2

formbookh331persistenceratspywarestealertrojan