formbook | fb9b78d96329f702bac81e025a7716aa7cd8c698e77f62bab8770add34a35357 | Triage

Sharing

General

Target

0987IC.zip
Size

155KB
Sample

240703-gzbb7svcrj
MD5

28445e58c5eab52f2d5c116ee2284d0d
SHA1

ae94dac2185093a154ec237aff36a0f59375b9e2
SHA256

fb9b78d96329f702bac81e025a7716aa7cd8c698e77f62bab8770add34a35357
SHA512

5fb51bcfb9d848c4294cb07f0ed508edb83c7264520378ea6db2aeb2d9c09399ea3382bb5739a409be075be6e2f51e26aea7bd60f9af3f301227de64416b29b7
SSDEEP

3072:SbUQx5f8BWnsWZABB81eBQ+QngY2EDuc91crnauOHnX16PBiO:SAQxxABT1TK90BOHsr

Score

10^/10

formbook guloader dd01 downloader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd01

Decoy

1prostitutki-chelyabinska.com

o2v7c.rest

something-organized.com

etc99.store

perksaccess.contact

consuyt.xyz

dscmodelpapers.com

dana88.lat

dumange.com

pointlomabarreboutique.com

djtmaga.net

dentisttanger.com

17251604.com

dogcatshoponline.com

eppgrandeur.com

jyty3500.com

felixkang.asia

xn--22ck2ci1dl0f7b7h.com

milliesrecruitment.com

www333804000.com

Targets

- Target
  
  birectangular.vbs
- Size
  
  413KB
- MD5
  
  be6f44242b4afd0e61d775b9ef7946b0
- SHA1
  
  80ce71becc7fb1203a43708d7e3fdcad778bb79e
- SHA256
  
  8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59
- SHA512
  
  e1778509074b9aad5fbc7de0947b887816c6f0308b4a347f181eb0dc92008125f7ef1b55184187d7c9cd99a6dfabb82ef858839cefa1185e1016ba0c3d45ba86
- SSDEEP
  
  6144:Ps58yYxqthfv2vF5aa++uQ8YTbBrD0Dz1EhMqcwu+T7wtVuqo41SqW8ZdbU8se0s:GMZcfqHmfRpcLnkd
Score

10^/10

formbook guloader dd01 downloader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookguloaderdd01downloaderpersistenceratspywarestealertrojan