formbook

Sharing

Copy URL

Twitter E-mail

General

Target

be75358ef16a88307d3722de7f8d080b_JaffaCakes118
Size

759KB
Sample

240824-m6xrnsydqq
MD5

be75358ef16a88307d3722de7f8d080b
SHA1

0a812866da45cf66666af011efee7965290a537a
SHA256

6401173b049bfd58a827e272138d0cf08185519dfa744e2b2e9990b4cade3a49
SHA512

be050652c2c6ad722292c686898b48dd5c8dfe35d977cb74586dce59e89a24e3ab9b9aa5b9fc3cb9ed91f0ab8bc3b34d53e298c2d0e1a20db32f539e2d12297c
SSDEEP

12288:1gh+13sf8irOhRxuXEMzhy8H2kT//B4vvNuBvw0C9/D42fWGS:TMN9Wk14aY0C97S

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

a8c

Decoy

kesslergroupinternational.net

elcarretazo.com

livbim.info

thamxop.net

abitur.expert

cidavidjoy.com

digitalkarwaan.com

hcave.com

foundbyjack.com

servicarpasjc.com

giaotrinh24h.com

ladasno.com

harrisxn.com

bestbtccasinos.info

australianflying.com

louboutinshoes.site

taohaomi.net

s5league-europe.com

lizhongysw.com

imizuspotsboxboxinggym.com

Targets

- Target
  
  be75358ef16a88307d3722de7f8d080b_JaffaCakes118
- Size
  
  759KB
- MD5
  
  be75358ef16a88307d3722de7f8d080b
- SHA1
  
  0a812866da45cf66666af011efee7965290a537a
- SHA256
  
  6401173b049bfd58a827e272138d0cf08185519dfa744e2b2e9990b4cade3a49
- SHA512
  
  be050652c2c6ad722292c686898b48dd5c8dfe35d977cb74586dce59e89a24e3ab9b9aa5b9fc3cb9ed91f0ab8bc3b34d53e298c2d0e1a20db32f539e2d12297c
- SSDEEP
  
  12288:1gh+13sf8irOhRxuXEMzhy8H2kT//B4vvNuBvw0C9/D42fWGS:TMN9Wk14aY0C97S
Score

10^/10

formbook a8c discovery rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $TEMP/29.opends60.dll
- Size
  
  48B
- MD5
  
  6357d179955674034f11ccd57b541013
- SHA1
  
  e8e4f0d49b439359f18465dd2ec35bef6f97f3d5
- SHA256
  
  b44f07c7601adce45a7d8d3c244ef33103798a81da81ea3aa5151cb3e6930e80
- SHA512
  
  63e436e109197bba8ed13ac5e36de53339559793a111fddbc5ed204a85f7b76b9739a0f21be85cba33184f312656fa92724c722b5acff72a299d1ab0b35f8f73
Score

1^/10
behavioral3 behavioral4
- Target
  
  $TEMP/SterletFiretrap.dll
- Size
  
  55KB
- MD5
  
  3ec65b93c42c369a4e75a292a6cd0a74
- SHA1
  
  dbfbf8bea2409544d73a3247555431f864741219
- SHA256
  
  0218dacfa55a2f8ca15ac49c00b8aa931861918d499266817e3cb09eedadfa06
- SHA512
  
  681ebf0a9150788e1e8eba4657c3263c95963983db7e5aaed76117cec8582ce5cbf9e22225202a298c9bcf4552f245e5c399036c6713abc773e3316cb2b05b30
- SSDEEP
  
  768:IpJYtpnbsx5RJwOkr5cPgeu1ZbqZTyMDCFmZBsDXtfH+h1Gt:IYBsEyPwBpICFmYzp+PG
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $TEMP/WebNavigationFrames.jsm
- Size
  
  4KB
- MD5
  
  c051b2a2d1bc740f34ad47f138c2aaf2
- SHA1
  
  5781d75689b46c9b80cb5e6806e88323e36b699e
- SHA256
  
  6a78d64b197e61c4268cb99346acde5e51f3562f6826e3620f91e82cc8fa0a2c
- SHA512
  
  c5d87a2e274107cde5e56301de456156cc89aa0f43b8f72199a858f270af1891287b1346439a78d1556c6a0e676320579d9d1b0b5cd9ec587451116a80362e74
- SSDEEP
  
  96:AQ9apzIbUOGRiwvaDf41dlGJFYeYUc7NQBQU:AQYObNkBvaDf4nlGJCeYN7NQBQU
Score

3^/10

execution
behavioral7 behavioral8
- Target
  
  $TEMP/aspnetisapi.dll
- Size
  
  8KB
- MD5
  
  2d89109a96fa1d4505338f40f1fcd187
- SHA1
  
  0cbd745f24c7a82f18c5efaa452a968f22bcd2fb
- SHA256
  
  5a8feb175340953c11d7ce0b4de92b25cfd9011626a7b46347adf46c029543a9
- SHA512
  
  82bd1f4c1ca3648e834fbd7579461d91933c7ec8e81d010a66f97cc70793077b98996d176c6472fb18ec8950318216cc9949856476b5c94423f66865ac716a9b
- SSDEEP
  
  192:tU7HwE6OCoY9zcTnbrk86yN3XxvNVqKWPRNUwW/01fS:tY/eanD6GvWPbUwWs1f
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  $TEMP/autolayt.dll
- Size
  
  18KB
- MD5
  
  53264f84bbed45cb61d18402e0e4e2b5
- SHA1
  
  f1ebae3d1213bcf09104061de2cdc1620932a224
- SHA256
  
  d5f654503f79f9f62d3c69838da1a8dbeba92d988ea9807c50443674cdf2c042
- SHA512
  
  6a8aa473bffebbf7e1714cbe51cbe590f02ace30a82c740adaea23f1a29692b79e7bb452d9ce21afda3ecf83cd0977caef2d5d7f77921747a4549aef6a3fb2b8
- SSDEEP
  
  384:zRWMr3VK449AIe0mZUr54eqgXiZace8o51fq3RXRPCR316WMgW1QW1d:zXr3bRpl9eqgyQuRXQR3/MLZ
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  $TEMP/coyote.exe
- Size
  
  50KB
- MD5
  
  07b54aa737d16f89c80e6da5a2de5013
- SHA1
  
  bcad8a5a09597086ce2df3ed4d833ca6a188f12e
- SHA256
  
  e4ee0e4c5533fad0ece32849b37dec5c22ad662ce3dd1376880200eb6011de5f
- SHA512
  
  e92ed0a39dd645c60319739b86a06e7643cfb14f28eb6d1bb3ec97febf0405eb5ad4d3e6aaf3374bfebdeb1bbfa1371764790810aa904f1cd9f63b17c62fbe61
- SSDEEP
  
  768:EsPebzrf3MbrOcnT9c/onP99Fg7APq+As006t++yD:O3MXr99nP9zgsD100x+
Score

10^/10

discovery formbook a8c credential_access persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  $TEMP/cvtres.exe
- Size
  
  31KB
- MD5
  
  d312a154a5f5e54bbbcf12a22b1b2058
- SHA1
  
  f8fa4c00c53d6800c81cfb8ff910514f6324ab68
- SHA256
  
  91b2e82a6bc7dff3cd1336caec81d515b7422c39a5ae19d5dc87673239f00430
- SHA512
  
  d42d9fa8bb383ac0f8643d2e87fc5a1c6b7c4d4bdbfbc5fdd3eb38d69202d2819166b62a069158d8f3c4999edc1591b75a768c90ea2aab76e2bd5bc3d8e4cdf1
- SSDEEP
  
  768:IaEu+pIy70T4voc53bxmB3aALsRO7kSDTvKdnGSL3d/o+S:MIa0Ttcl0B31LsRO7kAKdnGSR/ol
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  $TEMP/disco.exe
- Size
  
  48KB
- MD5
  
  3cda7f433393da8aac9ae702b69b2999
- SHA1
  
  a47c935a6b10bef73dc129f278ec796045ca0cff
- SHA256
  
  866476b1db9856ee0a59e70e2de96d16e7603a6642019d5da88808cd9047b268
- SHA512
  
  2116e78fbcaf5760b7e81a526525736cc3115f389c22c7d7d55806333ebf377b7a27ca9cdf1346a60b0c6904d05200f39f83e6472cc84bf08373e2a032dcaeca
- SSDEEP
  
  768:xX8QmFTLoVL47053UIPZgMHb3ELS57EJuFRJRh/gC:z6kVLR1UIPCMHUJITh/gC
Score

1^/10
behavioral17 behavioral18
- Target
  
  $TEMP/emcmp.ko
- Size
  
  5KB
- MD5
  
  bceb647f93ea19dd1ff53e07fd6597d0
- SHA1
  
  afcd3268cff93a8cb2b95d659a4eafc6581c8eb3
- SHA256
  
  5cf8aad19abc14dda1ffea3c8b1fcde108f49babef6df32d17db0376b4961d37
- SHA512
  
  a94e0151a93bd5e1e9fb5b3b848b93dce93279aafc72abab75cf1220dbf9cdb3604e12a6789e448b05e08888f67dac8d0f3af75bf70ddd1ddb6a4b3c4f564257
- SSDEEP
  
  48:bJKlGVPlByo3iOk9hMRlww8Rs5T8iRIy46fPO:boGVPPiOk9hs60QB2O
Score

1^/10
behavioral19
- Target
  
  $TEMP/ltv350qv.ko
- Size
  
  9KB
- MD5
  
  fa8b6541fb43bca257f320b1f4a6a9d9
- SHA1
  
  be9e9d33cf5d3097b4ae4e8fc4ee43ab8a910f3e
- SHA256
  
  144cd87eae357b34cf4b18dc3c92ddaa535db93b3455ab6baf55133e4d41994d
- SHA512
  
  dae8ca2fe2bed5b14ae85cec28089e0d3bcca1d04f9415c525bb430718432a5db21b15df4d59506fc0c86e6f96ce8da115c49d476c01ef5892b910085a21a219
- SSDEEP
  
  96:bL1MqFWjOk11EXl/z0bS3O7RLDXNXkIOUtKHzZsGO:bxzAO+1EX1aS3EDXNXyzZ9O
Score

1^/10
behavioral20
- Target
  
  $TEMP/sl-modem.py
- Size
  
  1KB
- MD5
  
  c9a52132fc69b593b08f79c10c42c58d
- SHA1
  
  ccade75a7569fff80fc217a40b74f5ca5f3d0327
- SHA256
  
  8477cf22623c21520b9022e91ce13631129fa78cf11bdcac96b47585b2b800ec
- SHA512
  
  0710257bcef424cb0bdcb7e8e5a391417e2be6d93461dc966c0e3ef5051eae7654b9e9ade2fdb3f0d209f8a05c5ccdf0a9da12b0bafe94248eedd72e2253f91c
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  $TEMP/system-config-printer.rtupdate
- Size
  
  189B
- MD5
  
  12efa1534a908bfafa184bc0f6993861
- SHA1
  
  d41b0bd006482e89d32aa6b166c7ad56beb39450
- SHA256
  
  8b634d9651564e74c72b6aed5b0c7b57c1a7575ddbb9fbc82706c76bc8fbbc13
- SHA512
  
  f99e8f72c44c190fd61de9033ebdc5fb509253cabb2bac5ed2d5651c70990fab2ff826377eecd596cc29ed452c7466cbae47f1fd72895c307ccbc74b3c40c418
Score

1^/10
behavioral23 behavioral24
- Target
  
  $TEMP/vsslnui.dll
- Size
  
  9KB
- MD5
  
  dcb564d59b368d19a3d3ed114eb72aae
- SHA1
  
  850ebcae450c7eeb25a969014bfa3493415d9c45
- SHA256
  
  4f81209814bcec95a7e29a36b7665a87ab7816aef8a83e927befbdf560a01f52
- SHA512
  
  9d1df7e09a0ddbe0b5b525cdf9d3cca99698b9d49e5e7fabdcd4c36090ba52a97efe9cf1a15245282078758d06ce434462834c76b5cad5e019364d329ba2e48f
- SSDEEP
  
  96:0NRonBgfCi3bZ9NBwjGDuok+mjexEWIYfINrzLWPVZHrwUH4:0NaBmXNCdLvWItNvLWNlw
Score

1^/10
behavioral25 behavioral26
- Target
  
  $TEMP/webbrowser.cpython-35.pyc
- Size
  
  16KB
- MD5
  
  daf5bfcfce29c6d2eea18d5c08478abf
- SHA1
  
  095fa854de1ff94e87cea9929c977b1765560e8d
- SHA256
  
  f175dcf86e07e9d506d1b4c244ba55f0da1924a30ff0d5ee87cdc9cb1b908baf
- SHA512
  
  a1184d42a7f8295254c2cd76fe4953c01f7ed4dcf451d4e9cafcfb478964e9885a44345d54cb3a9c9f12e258d1b0c4a3859477ccb4754e67d5df2063e83f6389
- SSDEEP
  
  384:2CLNDm5uAr9qCqOqUVIjqrn/q/qDqHqhzqq7j/qUY3qq4hQqqNhmG8IwqzUqq29y:JhDm9r9qCqOqUuqrq/qDqHqhqqvqUY3E
Score

3^/10

discovery
behavioral27 behavioral28

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Formbook

Credentials from Password Stores: Credentials from Web Browsers

Formbook payload

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28