formbook | 5345c78a28cb770a6742f203db63b35f7d0d1ad6e63c1f0780e9c8e21153ebc4 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Arrival Notice_AWB 4560943391.vbe
Size

17KB
Sample

240710-gm124aselb
MD5

93acfcb0399f16bd4f025265ca8f7f2f
SHA1

bc1ff10271f640e05fea062bfd519997265e40d2
SHA256

5345c78a28cb770a6742f203db63b35f7d0d1ad6e63c1f0780e9c8e21153ebc4
SHA512

198a519ec3195b1fd061ca80f747eb132fbfe403c01c14513e3b00982705eaf12930cda09e8252149cdb0a8eecb3ef4a55fdde483ed7f2c5e7991766ab181cc3
SSDEEP

192:1EqYZckc8r8AykqpgwYnFtuH9zYJpAC1id5Av+aiPTVqS1fUVVn2nkYW:1EqYZXd8jfiuH9U3HmRAj

Score

10^/10

formbook ss24 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ss24

Decoy

agingwellhc.com

unikbetanggur.autos

eb2024yl.top

ja380.xyz

thehalcyon.studio

maudsoogrim.com

esteler10.click

mewtcp.xyz

www-zjbf1.club

kucinglucu.online

lunwencheck.com

65597.photos

erbxeu358h.top

startable.online

yousend.xyz

csharksg.com

centricoatings.com

ntruhslearn.xyz

achabakra.xyz

zuntool.com

Targets

- Target
  
  Arrival Notice_AWB 4560943391.vbe
- Size
  
  17KB
- MD5
  
  93acfcb0399f16bd4f025265ca8f7f2f
- SHA1
  
  bc1ff10271f640e05fea062bfd519997265e40d2
- SHA256
  
  5345c78a28cb770a6742f203db63b35f7d0d1ad6e63c1f0780e9c8e21153ebc4
- SHA512
  
  198a519ec3195b1fd061ca80f747eb132fbfe403c01c14513e3b00982705eaf12930cda09e8252149cdb0a8eecb3ef4a55fdde483ed7f2c5e7991766ab181cc3
- SSDEEP
  
  192:1EqYZckc8r8AykqpgwYnFtuH9zYJpAC1id5Av+aiPTVqS1fUVVn2nkYW:1EqYZXd8jfiuH9U3HmRAj
Score

10^/10

formbook ss24 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

formbookss24persistenceratspywarestealertrojan

behavioral2

formbookss24persistenceratspywarestealertrojan