formbook | 2152a980e864940db36cde90c649f66e7c2da15790e97703a28cb378fb7b5ca6 | Triage

Sharing

General

Target

3a73c9c4a1e78e49f8b0649de5f5f8c5_JaffaCakes118
Size

399KB
Sample

240711-x8m1cstbmf
MD5

3a73c9c4a1e78e49f8b0649de5f5f8c5
SHA1

7582cffb3f24fb6a15a99a67986d980d90f52d8f
SHA256

2152a980e864940db36cde90c649f66e7c2da15790e97703a28cb378fb7b5ca6
SHA512

1d561abb979d5d0d0e1ccc3b2932842dc0adace7aacc828b6f09531b63b4b2869b11eeb92e3f861fb2e04822be6cbff49e416ea00dc458fa37f2ffc51ee16af9
SSDEEP

6144:UhtI9ERQ+3HwOGy3cyiyQ6AnXrUOGXc97ylrpcQwiCdl5WBI/w9nBrj4+T0:/ESoGFaQ68XrnGXsOluQndBI/w9Bw+Q

Score

10^/10

formbook gefn evasion execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gefn

Decoy

noticiastdf.com

coachc.today

chokeonwords.com

7xqfkg.com

shsnywhs159.com

padison8t.com

biglifeshirts.com

smartlifeplus1.net

shein.shoes

jiankong1234.com

yuedahs.com

gold-dust.xyz

gladway.net

titanpestandwildlife.com

hivetire.net

onycostopsale.com

lovesglamshop.store

theuapmusic.com

ohiomakeupgirls.com

80cq926.top

Targets

- Target
  
  3a73c9c4a1e78e49f8b0649de5f5f8c5_JaffaCakes118
- Size
  
  399KB
- MD5
  
  3a73c9c4a1e78e49f8b0649de5f5f8c5
- SHA1
  
  7582cffb3f24fb6a15a99a67986d980d90f52d8f
- SHA256
  
  2152a980e864940db36cde90c649f66e7c2da15790e97703a28cb378fb7b5ca6
- SHA512
  
  1d561abb979d5d0d0e1ccc3b2932842dc0adace7aacc828b6f09531b63b4b2869b11eeb92e3f861fb2e04822be6cbff49e416ea00dc458fa37f2ffc51ee16af9
- SSDEEP
  
  6144:UhtI9ERQ+3HwOGy3cyiyQ6AnXrUOGXc97ylrpcQwiCdl5WBI/w9nBrj4+T0:/ESoGFaQ68XrnGXsOluQndBI/w9Bw+Q
Score

10^/10

formbook gefn evasion execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookgefnevasionexecutionratspywarestealertrojan

behavioral2

formbookgefnevasionexecutionratspywarestealertrojan