formbook | 31c8c2014f2c7d1425741342ba9cc283641764c189e7e18c0caf571728d931c4 | Triage

Sharing

General

Target

cbbd0d914f1b8fd1852e514a77ae16c5_JaffaCakes118
Size

614KB
Sample

240830-1qx96axfpg
MD5

cbbd0d914f1b8fd1852e514a77ae16c5
SHA1

cdcfe3f05d2334b387d9347ad7dd0f7806e497f1
SHA256

31c8c2014f2c7d1425741342ba9cc283641764c189e7e18c0caf571728d931c4
SHA512

d38e0dff68899ec64b1f9b77fd4d57f3b5231e36fc79e2303468089b5011eac3969df4aab9fd18240b1dd0f12091f384eb270539a205edc60a31319e2f2626aa
SSDEEP

12288:51beMP9g/CigiRVZzV1NTY9JNSE++JhIQUaPQWdoC4E40fAgyJ:516qCCsLZzV1C9JlJhJJ4Odf6

Score

10^/10

formbook ej credential_access discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ej

Decoy

ratnik.online

qqqq5025.com

oliverschmidtleipzig.biz

wallet-service4.com

securityinformation.link

kuaitool.com

chuanyuemeili.com

jetluxurysedansok.live

xn--autodrne-93a.com

ipdzke.men

opebet489.com

defamey.com

switchbank.finance

bplti.info

habomilk.com

onlineprintersupport.info

kansashemporium.com

xnewmovie.info

yuvakarshan.com

camwrshh.com

Targets

- Target
  
  cbbd0d914f1b8fd1852e514a77ae16c5_JaffaCakes118
- Size
  
  614KB
- MD5
  
  cbbd0d914f1b8fd1852e514a77ae16c5
- SHA1
  
  cdcfe3f05d2334b387d9347ad7dd0f7806e497f1
- SHA256
  
  31c8c2014f2c7d1425741342ba9cc283641764c189e7e18c0caf571728d931c4
- SHA512
  
  d38e0dff68899ec64b1f9b77fd4d57f3b5231e36fc79e2303468089b5011eac3969df4aab9fd18240b1dd0f12091f384eb270539a205edc60a31319e2f2626aa
- SSDEEP
  
  12288:51beMP9g/CigiRVZzV1NTY9JNSE++JhIQUaPQWdoC4E40fAgyJ:516qCCsLZzV1C9JlJhJJ4Odf6
Score

10^/10

formbook ej credential_access discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookejcredential_accessdiscoverypersistenceratspywarestealertrojan

behavioral2

formbookejdiscoverypersistenceratspywarestealertrojan