formbook | 1783cab38631bf2258e78dedfb3669c9a6cd4fff79b57fe50ce47f3f788f6390 | Triage

Sharing

General

Target

3dca0bef1adefc95c7785bf1a31785fe_JaffaCakes118
Size

232KB
Sample

240729-kqmwesvbpg
MD5

3dca0bef1adefc95c7785bf1a31785fe
SHA1

1f5ecaecadd6a8cf327fd6ee6b9ae7e0855ef366
SHA256

1783cab38631bf2258e78dedfb3669c9a6cd4fff79b57fe50ce47f3f788f6390
SHA512

c05ac29b8fdbde1857e3525c0915c5a661241bc3b3f452247e04ca8b5e7b07ed2a446c3d2ed043778bce7782abc827cc30d729600039900a43b8a520dc7e5231
SSDEEP

6144:j7/5pgOT8yGxriYa5InYqeEVeaQSThW2ZxmSHMV:j7hpgOotS3hEMtShWYxDsV

Score

10^/10

formbook tnk credential_access discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tnk

Decoy

lafioletto.com

mgiuj.com

wolllafvixzies.win

wwwsbvip123.com

nadyaasnae.com

noticesinvoice2017.com

intercapati.com

tg8895.com

9245654874.com

lytsxc.info

rffuf3-liquidwebsites.com

verguet.com

peinturefleursetfemmes.com

xttmrama.com

cryptoinvestmentideas.com

kikumasacarparts.win

freeapk1.com

tasteofimagination.com

gxzyoa.com

cq-mingwei.com

Targets

- Target
  
  Payment Slip.pdf.exe
- Size
  
  286KB
- MD5
  
  fd6e85afa80f7c36795bc58dc4d1fa86
- SHA1
  
  419dd6e6e6a1a6753ca51e1612ea6bc61a011d48
- SHA256
  
  985fb6bd28653c5012113b096e61bebb49fe5aeeb53c7a128d323803637cf6cd
- SHA512
  
  9d9279ddb6e3988371a7ca714ade52e4983eb7df7c3e6bdf322e530c44c730b8b43f4bb943800c842ee4b54bcdbf3341be066a05bdd4fa72e4e2b69db05c3a01
- SSDEEP
  
  6144:UhntRj86y2xrIYaHInYgeEVgaQSTxU2ZxmSHM/:KntR5tQtvE6tSxUYxDs
Score

10^/10

formbook tnk discovery rat spyware stealer trojan credential_access persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooktnkdiscoveryratspywarestealertrojan

behavioral2

formbooktnkcredential_accessdiscoverypersistenceratspywarestealertrojan