formbook | 2a1a592d715bc79f96f5242986ccecab6803f00bf5c9345c99f3ef76a5d3b76a | Triage

Sharing

General

Target

a5be0b9593c1d43cba68afca025a4ddc_JaffaCakes118
Size

397KB
Sample

240818-hb6nwatbnq
MD5

a5be0b9593c1d43cba68afca025a4ddc
SHA1

520e77e14812d09b951c031de0cf1138c99ab6e4
SHA256

2a1a592d715bc79f96f5242986ccecab6803f00bf5c9345c99f3ef76a5d3b76a
SHA512

518febfb9ec60a3508336ec0ec3623c6681c76568dc80df2669036d8e4d906bebc98426038aa964401a834b0273caae655002291fb40480e79b10b8ff4d3b2fc
SSDEEP

12288:SaESokFZ3ArVYDrMpegeTaU0L2SQsGBMB:SaESv3ArVb7oaUojz

Score

10^/10

formbook iesn discovery evasion execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

iesn

Decoy

blockchain-refund.com

abogapy.com

ztron.energy

imadeit.club

gurdwarateghbahadur.com

dovetail-consulting.com

vampsy.xyz

beharrs.com

123ecole.com

silver2wear.online

ashwastaken.com

poincianaflowersevents.com

hyperdogetoken.com

optmsg.com

milanostyle15.com

ibisai.net

pknox.net

seedthrough.com

youngvan.com

gate2hydrogen.com

Targets

- Target
  
  a5be0b9593c1d43cba68afca025a4ddc_JaffaCakes118
- Size
  
  397KB
- MD5
  
  a5be0b9593c1d43cba68afca025a4ddc
- SHA1
  
  520e77e14812d09b951c031de0cf1138c99ab6e4
- SHA256
  
  2a1a592d715bc79f96f5242986ccecab6803f00bf5c9345c99f3ef76a5d3b76a
- SHA512
  
  518febfb9ec60a3508336ec0ec3623c6681c76568dc80df2669036d8e4d906bebc98426038aa964401a834b0273caae655002291fb40480e79b10b8ff4d3b2fc
- SSDEEP
  
  12288:SaESokFZ3ArVYDrMpegeTaU0L2SQsGBMB:SaESv3ArVb7oaUojz
Score

10^/10

formbook iesn discovery evasion execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookiesndiscoveryevasionexecutionratspywarestealertrojan

behavioral2

formbookiesndiscoveryevasionexecutionratspywarestealertrojan