formbook | 1d7b28dda54ec1a9b7003d01cd37bb495feccde98355945ae0370e51e6fa0f74 | Triage

Sharing

General

Target

a67c13ca70d60247253b6b329bcea0c0_JaffaCakes118
Size

1.2MB
Sample

240613-tw8vhszfpj
MD5

a67c13ca70d60247253b6b329bcea0c0
SHA1

eee58ee3fbc96b248b9b156df162187c8ef73fcf
SHA256

1d7b28dda54ec1a9b7003d01cd37bb495feccde98355945ae0370e51e6fa0f74
SHA512

3bdc1b93d02a9fcdcd1a75989149f084c6bbf616f97c723016d6477a1cb75aa6c75796024ee4dd534ad1f54c4647d4d42991324c99fd0f759f33a591707d59a8
SSDEEP

24576:8fc5/XLJWXJyM5wvzMJ6Rbdg8QyxQ2vHYV:8AdJPzi6HgFi8

Score

10^/10

formbook lokibot hx314 collection rat spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://devhaevents.us/22334455/anel/alive/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Version

3.9

Campaign

hx314

Decoy

xn--u2u404a.ink

test-gogoatrip.online

solution.direct

neurofoodmarketing.com

doubleplanetoid.com

bashouda.com

snaghawaiianvacation.com

imanamericandreamer.com

object-j5gcpzx0sqdhnwmvl.loan

imperiallivingatl.com

1399pk10.com

foreverstrawsco.com

amandabreenforketchum.com

zgtmn.com

66463dh.com

peizi33.com

xxwgdw.info

jjgallocpa.net

isolate.solutions

chineseformula.com

Targets

- Target
  
  a67c13ca70d60247253b6b329bcea0c0_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  a67c13ca70d60247253b6b329bcea0c0
- SHA1
  
  eee58ee3fbc96b248b9b156df162187c8ef73fcf
- SHA256
  
  1d7b28dda54ec1a9b7003d01cd37bb495feccde98355945ae0370e51e6fa0f74
- SHA512
  
  3bdc1b93d02a9fcdcd1a75989149f084c6bbf616f97c723016d6477a1cb75aa6c75796024ee4dd534ad1f54c4647d4d42991324c99fd0f759f33a591707d59a8
- SSDEEP
  
  24576:8fc5/XLJWXJyM5wvzMJ6Rbdg8QyxQ2vHYV:8AdJPzi6HgFi8
Score

10^/10

formbook lokibot hx314 collection rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooklokibothx314collectionratspywarestealertrojan

behavioral2

formbooklokibothx314collectionratspywarestealertrojan