formbook | 71abad95eeb66ea1fc076a33659dba34d9404a08eb4ad1aaf32c41754abd332e | Triage

Sharing

General

Target

71abad95eeb66ea1fc076a33659dba34d9404a08eb4ad1aaf32c41754abd332e.vbs
Size

31KB
Sample

240720-mg3xdsxgrp
MD5

5cbf0fb04e1714ebe00fd744a24b109c
SHA1

4c2a52cad1cafba41f7af6c4385a261b972573f2
SHA256

71abad95eeb66ea1fc076a33659dba34d9404a08eb4ad1aaf32c41754abd332e
SHA512

fb56c70a852e3f619c28742e5373a32e0b48614db70a83b4d84fdef29e5120d16e01c9880b91d9e25cd2dfe9e916eb7b2ec5706d18c0db861fe754bc71c58409
SSDEEP

384:6zMKK76JtZbJBuBdWZz+M6e7cmjP0irkQML:6zMKHJtZdcc+3Zm/rkzL

Score

10^/10

formbook ss24 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ss24

Decoy

agingwellhc.com

unikbetanggur.autos

eb2024yl.top

ja380.xyz

thehalcyon.studio

maudsoogrim.com

esteler10.click

mewtcp.xyz

www-zjbf1.club

kucinglucu.online

lunwencheck.com

65597.photos

erbxeu358h.top

startable.online

yousend.xyz

csharksg.com

centricoatings.com

ntruhslearn.xyz

achabakra.xyz

zuntool.com

Targets

- Target
  
  71abad95eeb66ea1fc076a33659dba34d9404a08eb4ad1aaf32c41754abd332e.vbs
- Size
  
  31KB
- MD5
  
  5cbf0fb04e1714ebe00fd744a24b109c
- SHA1
  
  4c2a52cad1cafba41f7af6c4385a261b972573f2
- SHA256
  
  71abad95eeb66ea1fc076a33659dba34d9404a08eb4ad1aaf32c41754abd332e
- SHA512
  
  fb56c70a852e3f619c28742e5373a32e0b48614db70a83b4d84fdef29e5120d16e01c9880b91d9e25cd2dfe9e916eb7b2ec5706d18c0db861fe754bc71c58409
- SSDEEP
  
  384:6zMKK76JtZbJBuBdWZz+M6e7cmjP0irkQML:6zMKHJtZdcc+3Zm/rkzL
Score

10^/10

formbook ss24 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

formbookss24persistenceratspywarestealertrojan

behavioral2

formbookss24persistenceratspywarestealertrojan