formbook | 7093704bdad688cbdb775de4b07daf5e586a9a7c065537d870e4aa07c4fa2075 | Triage

Sharing

General

Target

7093704bdad688cbdb775de4b07daf5e586a9a7c065537d870e4aa07c4fa2075
Size

455KB
Sample

240830-2g5hjszhmq
MD5

2ae8f998fd08ccc071d3161ba532281b
SHA1

1462a45cedfdf0653970a0d435427d7da072262f
SHA256

7093704bdad688cbdb775de4b07daf5e586a9a7c065537d870e4aa07c4fa2075
SHA512

c19792d812055d75318c3b92f6f1a2ed640820c9ea76f0064e28d684d566b5133c51b9bddcec2a87ffc637dcea3659a0b4b2af60bbb64aab01216a08e60eca2c
SSDEEP

12288:0nwfhbKQ1qLsVzlHs4FNNwjM3L7ZcD2WZdj:dhuQ0LPXjM3L7Zcjx

Score

10^/10

formbook hs3h discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hs3h

Decoy

slairt.com

teresasellsflorida.com

resouthcarolina.com

npccfbf.com

hutshed.com

westatesmarking.com

rustmonkeys.com

kagawa-rentacar.com

easyvoip-system.com

admorinsulation.com

ericaleighjensen.com

zhonghaojiaju.net

apple-iphone.xyz

b0t.info

torgetmc.xyz

lawrencemargarse.com

6123655.com

macdonalds-delivery.com

cvpfl.com

ayudaparaturent.com

Targets

- Target
  
  2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499
- Size
  
  724KB
- MD5
  
  139f804af6727f40136efc05b3810f07
- SHA1
  
  4e91c652e3fc8efaf060f39d2a31ae09b1b57090
- SHA256
  
  2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499
- SHA512
  
  cc037549c0e1dcde4ed7109709e9450a9370538fb1be3fdef03557e758209520c35b3ddefe61b7fdd8a1358a848ec9797ef8326f656c97ff880cdec37428f04f
- SSDEEP
  
  6144:Jo3K9Dnnyx65H+MfjJN5M/lqLuyRkXBymUQOuRH6vDdpQ2T7BxzaJK+Go6Uq2A:JocqGJaJ7BzUQOuR0RpQKExGZUi
Score

10^/10

formbook hs3h discovery evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookhs3hdiscoveryevasionratspywarestealertrojan

behavioral2

formbookhs3hdiscoveryevasionratspywarestealertrojan