formbook

Sharing

Copy URL

Twitter E-mail

General

Target

A FINAL DRAFT BL 00595854.rar
Size

1.4MB
Sample

240806-a568haxfra
MD5

b124a1e486a00c15b498932db5857974
SHA1

9ba29fdffd24db2f1f62a559e38eac1d72c830e0
SHA256

e8208b4ea0372e7708d867c4df307677ed6af1d1a10d87f1b2a8e02bd184b71f
SHA512

ea971c76077220869c8d047cfcc04327954c705f7c3f5a4b1c8e71e6c65970642e58e68688571ee4a806e5ac465c5849c1ad15a41ebdbcdcea090dc8b5d63d70
SSDEEP

24576:q/hwSoJZXgbbNkxoiImLz0A/Rn9/m9iFOEbgKf6cozAFAlrZlvFx1:YCJZXQQo00IF09iMEbYAFkbvb1

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

be28

Decoy

nsrrsdda.xyz

amut-sakhon-party-539528511.fyi

icholas-paaac.buzz

heirwellnessbuzz.buzz

mhgriu.xyz

etropixel.info

959725nkrowrf140.top

oxicsh.click

iobet-casino1.online

ome-care-81701.bond

lhrristorpky.xyz

ucko.info

ryson-saaab.buzz

aming-monitor-69835.bond

puf7.shop

armageddon.net

58799.top

rainfood.online

ahjong168.vip

arjetas-empresariales-pro.xyz

Targets

- Target
  
  A FINAL DRAFT BL 00595854/A FINAL DRAFT BL 00595854.exe
- Size
  
  24KB
- MD5
  
  2f8c33ab91e3897522bb6add4b6e1375
- SHA1
  
  dd6159fe631838b3bf1bf27bc90ea1acbaf381c4
- SHA256
  
  d0f5829a3fe65ff01901b2742e9e19cbb848d5b55452103ab1b8c82e87fa6872
- SHA512
  
  da28c79295704dc476ea28c69cfe9108b75be68912c7455d6b6eb6e3df07c6bd6e704f586433d79a3580bfb313cf459b2626d5ce34e3bc85b787b82a83358a3b
- SSDEEP
  
  768:+tSqfNFDB5jKxnVbgvqxNdKcSHJK/Y/+hP7:ESq3B5jKxnKvKNdKBHJK/n
Score

10^/10

formbook be28 credential_access discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  A FINAL DRAFT BL 00595854/api-ms-win-crt-environment-l1-1-0.dll
- Size
  
  30KB
- MD5
  
  2965c12277fcb719d97203232f1e39ac
- SHA1
  
  3d320fd6d983a4f62c718fdd3477c681168486d9
- SHA256
  
  a1651712774d01c909689a85b5b7a69da91db33ef133f8ac75ef19227b4b5969
- SHA512
  
  40315dbb91fd4deb7938ccd54994e9d60a10bdd693f37e3e7f3be1e2feb77c9424c0cf3a66c2b9461a9bbe13ce6755886c235b80afbe0917df8b22e89aba13f9
- SSDEEP
  
  384:yvWlhWHyAA0GftpBjhg6El2wwioNOzFP27xWkVbgWUlIx4cVW7NrqRR0FP27NBYo:jKi7gIwGQKxnVbgvqxNVIfK/Y/+V
Score

1^/10
behavioral3
- Target
  
  A FINAL DRAFT BL 00595854/api-ms-win-crt-locale-l1-1-0.dll
- Size
  
  30KB
- MD5
  
  1f15d860ca19f705c90fadc92035b91a
- SHA1
  
  331e7ae488a7c39e679d988459f87392c908e2c5
- SHA256
  
  b0b76ef49fd049adf77725e131e3866a8298cb0eec13305647ce5430c262f957
- SHA512
  
  10a0deb71ac7a72801faf37cff5133714f27def278381aed9638f92a6e9aacbd2969692b0081491f77b77e08372366c0c9d9de685d417f07b682261af49befff
- SSDEEP
  
  384:kWlhWHMIA0GftpBjTTg68qlfgpSORFP27xWkVbgWUlIx4chWn0Ie0FP27NBY3Yun:nZqilTgLHJKxnVbgvqxNhaK/Y/+a
Score

1^/10
behavioral4
- Target
  
  A FINAL DRAFT BL 00595854/api-ms-win-crt-math-l1-1-0.dll
- Size
  
  39KB
- MD5
  
  4d45e807872993208c4102865154dbac
- SHA1
  
  a1653df01dc76bec0876a788c5e7c5a5f77aab76
- SHA256
  
  eca01f80b0eb81523a17432715dd86b2463ca072bbba8a9af7dfd9123d2cf8c5
- SHA512
  
  31b7bfea6f7bd083ffd6b74c8c951ab66a3fc9b7e4f1e44ca27ad7d6d61a9301e4b61f49f1fa7b126e20bb991cfad4eca3c4438a80a500d5656744360081a14a
- SSDEEP
  
  768:G7TjMq59Bb1jLE0id3g2CrdKxnVbgvqxN5TK/Y/+Pf:GP51fE0N1rdKxnKvKN5TK/5f
Score

1^/10
behavioral5
- Target
  
  A FINAL DRAFT BL 00595854/jli.dll
- Size
  
  3.2MB
- MD5
  
  90d62a7d449acf1611f64271ae931c35
- SHA1
  
  ac20750a1ee03a1fff13b7059324ebe6914f88e0
- SHA256
  
  030894df7d8c8b08cbbade552f19e3975f7f97b2fd6b086c6a1dc6e807a12b60
- SHA512
  
  67842d26388fdfd5672491cbf7b80699d51b83ac40f939dabb2b8d568c25159e5329b25b2a4339acaedf3e8c706e10363e09c486202a69e2e6961e66ab6d3f3a
- SSDEEP
  
  49152:7Pnmb5cDLHDCGFEZEwMXQgFJ3Erj1cxgN:DmrGO5
Score

1^/10
behavioral6 behavioral7
- Target
  
  A FINAL DRAFT BL 00595854/msvcpcore.dll
- Size
  
  185KB
- MD5
  
  5af399d89aa594d7d3a8ccd897893c20
- SHA1
  
  1e0d00a3fcb1b116597c3f603869c5f271a41f34
- SHA256
  
  1f040380c94230e18b83b5b2d814b28eaebeaea0908888889182f07a113a362e
- SHA512
  
  3d5a725d3d11afb0c3821e8a68e96f02392a0d814dd77c59683e565adb4a756099919895a2702e14c12557859406e1291ec40dab915db424ec947165600af78a
- SSDEEP
  
  3072:W3aE0EHa5WyNyux4CAN5YdoDgel0tWjR2S/0AdePpWau5YjsFO6BaBNIH:Wh7H4Wqy44fKohl0kjBscaFmaPg
Score

1^/10
behavioral8 behavioral9
- Target
  
  A FINAL DRAFT BL 00595854/vcruntime140.dll
- Size
  
  107KB
- MD5
  
  146eb6b29080a212b646289808ae0818
- SHA1
  
  e5d9801f226ecd3af662df225f751ae8a8934357
- SHA256
  
  f66c606d2ee6bbca375ab4268b0c6aef5170a4ca580a00e17a56057a7a127743
- SHA512
  
  0824b42ca2539709f77134ffea9c10fc9f4c126b6a309bd5d3ddd02a660ef98d63b178219d83b173340798c479a1008c2d4f57830898673043fee2450a210a58
- SSDEEP
  
  3072:y67mylIhkoQpdK9H9YOecbKV02pKuKLK/M:7iylZoQwH93ecbKCR72/M
Score

1^/10
behavioral10 behavioral11
- Target
  
  A FINAL DRAFT BL 00595854/vcruntime140_1.dll
- Size
  
  49KB
- MD5
  
  c106bef63b8db2f32de277b0c314249f
- SHA1
  
  b172b5809f95bd4f4181fe30c30368b50a27f08a
- SHA256
  
  dced523e24b4374522c86f7bbfc0ac8d8e1078336492629722081339adaad9ba
- SHA512
  
  77aab947ffec187f054c68899f2b4186a53b2901fb74ee6702586c1207a4abea238c64da0aa3ebe56695c31606b315f9a6289ca1748e9770fcfca5816e7e6580
- SSDEEP
  
  768:+Cm5yhUcwrHY/ntTxT6ovF7IVwwIl9znKxnVbgvqxNJUoK/Y/+b:lOHc16opIVwwI3znKxnKvKNJUoK/x
Score

1^/10
behavioral12 behavioral13

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Credentials from Password Stores: Credentials from Web Browsers

Formbook payload

Adds policy Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13