formbook

Sharing

Copy URL

Twitter E-mail

General

Target

19ed201350af3fc74e718aa9cd63f67f_JaffaCakes118
Size

478KB
Sample

240728-v6d9bsvfpp
MD5

19ed201350af3fc74e718aa9cd63f67f
SHA1

4886c619617f705910d64e1286d3c78ec40266ca
SHA256

18d42895a0a37161199e0f3da093cb3057f71a608866a3d3284c83a7b90dbf81
SHA512

577b97985d83f22a841e6c584c5674e7661543f04b4b077ee708ae208861654d4781f369af3a243a7ecc3f7c5f38ff27eab2af3020dc7ed66c8af526059585a1
SSDEEP

12288:EanI100up/lVGVup2iQttzsD8f8U5BN0m4xxVpKnhH2MhWOfBtqBKR:A1cpHGVupr8t0yDjNR4uH2y3vR

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c233

Decoy

concentratedprerolls.com

17aia.com

the-mistershop.com

pro-ecare.com

hushkeeper.com

zhmeiju.com

locationdd.com

rupanaa.com

smartlivegt.com

oidhlima.com

climpuright.icu

shopmaincollection.com

divineconsciousnessacademy.com

lumenhealthandwellness.com

relicstudios.net

gamelosophers.com

minimalismoweb.com

ecoapiaryfarms.com

siyuechuanmei.com

advincicode.com

Targets

- Target
  
  19ed201350af3fc74e718aa9cd63f67f_JaffaCakes118
- Size
  
  478KB
- MD5
  
  19ed201350af3fc74e718aa9cd63f67f
- SHA1
  
  4886c619617f705910d64e1286d3c78ec40266ca
- SHA256
  
  18d42895a0a37161199e0f3da093cb3057f71a608866a3d3284c83a7b90dbf81
- SHA512
  
  577b97985d83f22a841e6c584c5674e7661543f04b4b077ee708ae208861654d4781f369af3a243a7ecc3f7c5f38ff27eab2af3020dc7ed66c8af526059585a1
- SSDEEP
  
  12288:EanI100up/lVGVup2iQttzsD8f8U5BN0m4xxVpKnhH2MhWOfBtqBKR:A1cpHGVupr8t0yDjNR4uH2y3vR
Score

10^/10

formbook c233 discovery rat spyware stealer trojan credential_access persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $APPDATA/25/66.opends60.dll
- Size
  
  42B
- MD5
  
  3f2a75e68f8d67494b386dfaa5abe2b3
- SHA1
  
  f405e0bc8b4fc2cad111045c67e3c64343e2c7ca
- SHA256
  
  e7ab6b06a1134f3efe20fc5816ad5402c8e111fbd5031ec4f2c520224b9d5bdb
- SHA512
  
  a7909c511287c5a2f59992bd674998d0714f100ceab30168d9c9f85fc3e6b9ba76d0066c2cea3feed9ae2e651605fdd0f3992c849300b9c073f4cb1d05ada90e
Score

1^/10
behavioral3 behavioral4
- Target
  
  $APPDATA/25/vcompd.dll
- Size
  
  25KB
- MD5
  
  e31af3b8a32548786e51863d6dd2c584
- SHA1
  
  d7631fb52ab18f8587dd95f735ca9baef35fc31e
- SHA256
  
  1c3a71319639355f5eddb6a85f25d5de42e91cfe0fc0589fe77efd5903d6d77d
- SHA512
  
  a87e34be3689fce35f7857df50276c03ef6680d49219a3a87549ebbaa9a29eca29473b69288168a71cc90a3525875790f3e457d860d54d1f5d0ae2d6f08938c2
- SSDEEP
  
  768:WeN6bkNPd2tLrvhqjVZsnrL2jmPGLeUhLlLCI6ogak:+keLrvhq5mLS5eU5F8
Score

1^/10
behavioral5 behavioral6
- Target
  
  $APPDATA/emergency/diffs/1.opends60.dll
- Size
  
  723B
- MD5
  
  e143ae5b91c057e4cd5606207d21862a
- SHA1
  
  8b39091a49d5c020083460668fa7d204f9c9c0f8
- SHA256
  
  e78e084b6f4055ec343112544f8143140d9c401c3d5ed97e96ea305c0e1a2216
- SHA512
  
  1c5f34650c0fb1a2f237cc974fa1587e3bc861c19fee352f09cdc7dfd111b9a10da47b34580bb79c4e5c22e8d2d70af51305c7537b7e9e93953f83b23459b692
Score

1^/10
behavioral7 behavioral8
- Target
  
  $APPDATA/emergency/diffs/3.COMServerPS.dll
- Size
  
  287B
- MD5
  
  276ede82296c5ff52d6647ae5fafc8c7
- SHA1
  
  501a3bf8b9442386009d6ff2c97cffc4e55b5b47
- SHA256
  
  1eec0baff5fe77be2954f6fd125bff70699aa4aad30978ce650ee68cd0b478fd
- SHA512
  
  a254bc3fa138c0e0c7a03eb1de25405d6db038f8c8593fab90ae18e1ed88caf642383d4c46738c33395bb3b4ea3c3120944a50ec408770fc326eb433dc6ff8cb
Score

1^/10
behavioral10 behavioral9
- Target
  
  $APPDATA/emergency/diffs/5.opends60.dll
- Size
  
  50B
- MD5
  
  66fed1f516433d0c1fdef577a5405339
- SHA1
  
  435fdf52257dc975db8b676828a147fd04f94b95
- SHA256
  
  af70af914b3ac7d5dc4023934ebcfc189242f8e41c764cfcfae5ade6be3af993
- SHA512
  
  597ef5dec02ff8c0a47eaf2e78ba37c76487b44864aad7baee0019c981d63d37d9aa8d2cec34dd58bade9a572cf1d40e18212faffacb295c86fa232b83aaf3f7
Score

1^/10
behavioral11 behavioral12
- Target
  
  $APPDATA/emergency/diffs/ActiveSyncBootstrap.dll
- Size
  
  40KB
- MD5
  
  b59ec4aa8cc4eeb16e5567c085d5d677
- SHA1
  
  7c2442b35816e0517648a390f106910ae960f7bf
- SHA256
  
  1bf2270bfa6bafe29329f9d84c5f8856b57c84af6f3ed05027cebc4f767d07ef
- SHA512
  
  719d127a378fb16772c5a6c4b6ea6225a27ad4cd2a0d84e237faaa7a1a4e63cdd869ad2cf04b57268e393f709adea2a8aa83c6a640111d93fd2071ebdac7a470
- SSDEEP
  
  768:MzE7orC6TyNqZ7t7Ahh5E4C6FHYm6d985dgn49kjkGnUOhBpEdpb:tkTym7t7Ahh93+dqgbjXUOhBpeb
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  $APPDATA/emergency/diffs/devenv.exe
- Size
  
  1KB
- MD5
  
  46f256b3a362ee2122a8a89d6af8a2d7
- SHA1
  
  15a631600c2a4d30a0f0868408b73000d984c4c7
- SHA256
  
  374c4bc0b4743621fddb79a9c56b8b01c097119f1488148d6bea946f6e1e3344
- SHA512
  
  eba307bb868c5cd46c8550ae414e9daf8aad6dcd7149d1f96ecdcc346aa832dc7688972bc6905210e47f773b9f54cd48392faf61b109660093d6d77731a6c3c8
Score

1^/10
behavioral15 behavioral16
- Target
  
  $APPDATA/emergency/diffs/guidgen.exe
- Size
  
  38KB
- MD5
  
  58c655527b57d74ae3c189a60a42da18
- SHA1
  
  f267630311a1c42ce9c4f0deda00e4132e9f8b25
- SHA256
  
  a2f590dea50cde47b0325d7a9adeea464257f46b76c059cf3e1ab2db65574685
- SHA512
  
  03c708a23339792802f506278891005e521b7188d0558fcc0f25dfd0c7cb0048c8fbf1f9fb1ac65fd6ef4bc4c7cac1715bcd8f07dd82e3e6770e327cc630e209
- SSDEEP
  
  768:QRi/Yplgp4V5qWNqYoMfTF/K4itMpdRJDh9ODV0L3d/o+X:AKYLHV5ZNbnFy4itMpdD7ODV0R/oK
Score

1^/10
behavioral17 behavioral18
- Target
  
  $APPDATA/emergency/diffs/metade.dll
- Size
  
  40KB
- MD5
  
  6ce0a00b9c336497b08106982b5f34d7
- SHA1
  
  5a513e808470c9375d99096020e021340ebef332
- SHA256
  
  1c55dab99bdf7461f211af018ce84478ff76f230133bfe3f8ed4b535a6a3cbd1
- SHA512
  
  abefa479dd072165c12cd4a04107fda982f2002bf33c28d8038b673632cf8f45e59ebc56c2501c7d12ed28e502361f95382322e7c3dc545601e0264f9e183ed8
- SSDEEP
  
  768:/lM05vRJQLrGB8vH/MON6s9+nQ8TYtehb1QsJcHO3pflk:i05ELr48vH/MOkDQ8TYteAsaHO5fl
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  $APPDATA/emergency/diffs/msdnmui.dll
- Size
  
  29KB
- MD5
  
  f217fe7e8cbbebc61930bd60cfaea1e9
- SHA1
  
  18532b33579033f04b661a196d4ad5c0887f3736
- SHA256
  
  8638015b2bbc5b04029749aeb78e14521b5928737ca5e03bbcc2c0ec1a47f6cf
- SHA512
  
  b1633fe45c85f0e63fd0f293a3f71a80f6a8f059fbb3e1d17feac1ea7e5fce5d5d08207f08a163dd4543228556570e9a0bf06f34ca73f17ef9efa60f5fd3059c
- SSDEEP
  
  768:A/MAM30cf+Mj4fIzdODwDp1Y94nqiRyW82CLorT:QHel+MFKEpqUqiYWBOq
Score

1^/10
behavioral21 behavioral22
- Target
  
  $APPDATA/emergency/diffs/vcdeployui.dll
- Size
  
  10KB
- MD5
  
  86e8573da0da08bc5801eeb05722b900
- SHA1
  
  9df15367a068e8f16bea5b098c1bc5ab0fe8f816
- SHA256
  
  116d2a7b1c04779dc774f9012dff83f01cc4905bfce0e745c1e6f1b469b445a2
- SHA512
  
  bcb449de7aac0e68802868948344f57d7113eb16209ac8d2b5fd68f387c21998748763e34bc15cfb2ea3d9b09df4379eeac9b7651064a633d09d2ae6befaa724
- SSDEEP
  
  96:yOKkWxHSIWPpJG4yQMsn+WT74+olgDS8zlzcWmzIBTCT5o4nzkInvzUiPjP7TPmP:hWxyIWRIx+4+Yu7RS/I1vIQG
Score

1^/10
behavioral23 behavioral24
- Target
  
  $APPDATA/toplist/mode/wbemDC.dll
- Size
  
  31KB
- MD5
  
  a7d437a83378ac8f19797eff1044732b
- SHA1
  
  446f1802d1b199779ef8a35daf1c35125e193bd1
- SHA256
  
  697f768d749e5bfe8055997819fc0b088cb7ea2ce31e198b7210fa7dfa1ee597
- SHA512
  
  1349e67e4a68191e05af24242108732abfddfcb9e38427987f8407038e441386a0a004b5a7eb3f5a793691d06bf124f226e749238302bdd6b538605c3e8eec1e
- SSDEEP
  
  384:Ht7JZXNm4ZDjaEyaD0eNB1QsubhZKCTVvt9Sj5ko8Zr6DtnWO93GjWz6ctY:HtFRjnaExG1NZKCdSj5Eyt/wW0
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  0063d48afe5a0cdc02833145667b6641
- SHA1
  
  e7eb614805d183ecb1127c62decb1a6be1b4f7a8
- SHA256
  
  ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
- SHA512
  
  71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
- SSDEEP
  
  192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  6e64e5d5f9498058a300b26b8741d9d5
- SHA1
  
  837ce28e5e02788da63a7f1d8f20207d2b0bf523
- SHA256
  
  8d4b1c275fd1cd0782a265080b56d1aec8d1c93edca5ef3b050d1d20d7b61f33
- SHA512
  
  f53514d36021d79f85df2494d403f03589b3ad848889b9224f962cc932ef740f127131a914c7171ad8136ca1ef631285ea1c80576db18ccf8ea56940eb00ea1e
- SSDEEP
  
  96:oWW4JlD3c151V1gQoE8cxM2DjDf3GEst+Nt+jvcx4P8qndYv0PLE:oWp3ggQF8REskpx8dO0PLE
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  $TEMP/Conservatory.dll
- Size
  
  43KB
- MD5
  
  255c2887e6b5f9756a9a473952e0807a
- SHA1
  
  b13718feb8e932e6a59d76a9984fa043d6f7826b
- SHA256
  
  0a5e2d346b9e7296275bf79fbda56cfc21a8af540b836dba04df1b6270bfe2c3
- SHA512
  
  e45ee410d61639ea098c9d8f831126d62cb67144834e6da6bab5c929cc8fe7a92493ef8a0c83c73b19942540318598987214c6b3377d6959425a91d269527823
- SSDEEP
  
  768:GTLZ/ZYB0KBLqpnn9rhwmmnTEDi4hvyPTsU9MBacUlT:GTt/ZQ0EM99MJbdMUcUlT
Score

10^/10

discovery formbook c233 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Suspicious use of SetThreadContext
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Credentials from Password Stores: Credentials from Web Browsers

Formbook payload

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Formbook

Formbook payload

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32