formbook | 8c03f35fb24c46bd75a0fafc7aae84dadc959bf407dea9a6959a7d0ef9f11ca0 | Triage

Sharing

General

Target

8c03f35fb24c46bd75a0fafc7aae84dadc959bf407dea9a6959a7d0ef9f11ca0
Size

4KB
Sample

240712-llmwaszeqc
MD5

bed1bf6c07161a4ab736149c7c78132b
SHA1

acf9f041276918213242347167821bdf28d46730
SHA256

8c03f35fb24c46bd75a0fafc7aae84dadc959bf407dea9a6959a7d0ef9f11ca0
SHA512

82c481af54465b1a802fe4fa99f3acf1239a21f948c7484a6ab96c22198d9c6a9a61d47df3318f27e1c189fa1db50dc9e1b3d9c301609f94ac8f9154bfba6959
SSDEEP

96:ZSvvX/FpnUT1phu+LUZNYsjlRvOicThoOPejMIFeoH8b/H:ovvFVURpU8ONYCl9Ot/PerAn

Score

10^/10

formbook guloader dd01 downloader execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd01

Decoy

1prostitutki-chelyabinska.com

o2v7c.rest

something-organized.com

etc99.store

perksaccess.contact

consuyt.xyz

dscmodelpapers.com

dana88.lat

dumange.com

pointlomabarreboutique.com

djtmaga.net

dentisttanger.com

17251604.com

dogcatshoponline.com

eppgrandeur.com

jyty3500.com

felixkang.asia

xn--22ck2ci1dl0f7b7h.com

milliesrecruitment.com

www333804000.com

Targets

- Target
  
  DHL.cmd
- Size
  
  6KB
- MD5
  
  4fac338e225a33e53806bf2f27f3ed0e
- SHA1
  
  5e7f1620ebe0099e2c7014b2e725eefbdaecab85
- SHA256
  
  1825ea48164cc22c0872fea1d7ed7698d8ac439c8404207db2234cdc2b95f1ba
- SHA512
  
  cdeee8abcf1153740d8d1c0cc82c23c2f4b71fb6335b4fa1c3c5bf4838a0186f8043b3b5223c8d13c62c777be7cb8df2ef12a617485cdf61c527e2d5f5888844
- SSDEEP
  
  192:YWFEaVQEQKcwglcCy6XnU/pTmAaelT2dvmf:ThuZXGCyWU/praeIdvW
Score

10^/10

execution formbook guloader dd01 downloader persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookguloaderdd01downloaderexecutionpersistenceratspywarestealertrojan