formbook

Sharing

Copy URL

Twitter E-mail

General

Target

d559327081b57fd122838deb74b92ac5_JaffaCakes118
Size

369KB
Sample

240909-ahk2ravdph
MD5

d559327081b57fd122838deb74b92ac5
SHA1

9c974a41167a4ba628c5e56e3962235ce28799e0
SHA256

ef911d4f6162d25b42b36bd71b99dd256565a68410c707ee29c40a01f3797036
SHA512

b888135888602316260529125cebdad5432c16e62ae511f6eeb714a971315f31d4917b1fe5504229bae5f4a05200558e6527928646fe12b5a23970f1aed94337
SSDEEP

6144:IXD7gYxbzgfWl7KV7n9BJbyNlWUy0PwaFtc/alTsmBv5uZ5pK9WwpbQALCXtPhV:IXDE9fWcPu3DwaoismBx2SPbNWJhV

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c232

Decoy

tangdourenfz.com

helpforkids.today

bioethanol-us.com

0351zc.com

3rdimultimedia.com

thecannibisconnection.net

mktoob.net

orchidinvestmentlimited.com

moccustoms.com

shopendora.com

rosariosandino.com

bien-vivre-tunisie.com

godofgreens.com

nhathuocphuongle.com

thefastsource.com

viagra2tadalafil.com

abarroteslacanasta.com

versabiosciences.com

nergiztarimhayvancilik.com

airpodsbayi.com

Targets

- Target
  
  DHL PACKAGE - PDF.exe
- Size
  
  395KB
- MD5
  
  863bf0dfa1169706f566c070a1e11256
- SHA1
  
  77175726680e40eeefdad0578a1d3377486d9fff
- SHA256
  
  a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b
- SHA512
  
  21aef52bb4b5ed66c632c0ca55e156b95dd5bf2715599880fb0b5ffea523fca0b82739cf2617095336c332664ab8dcdd64fa910d3bae64c9f384767709720ada
- SSDEEP
  
  12288:nanOzOlC9Am80quPgdBHh/FOPfe+VYRVORkG:lqltm80qigrHxFGVYbi
Score

10^/10

formbook c232 discovery rat spyware stealer trojan credential_access persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $APPDATA/for/page_1/13.opends60.dll
- Size
  
  51B
- MD5
  
  f04aa19e6a25638e61867d3495058e79
- SHA1
  
  f06f9e02611cdd1cf3d960897c262f528d2bfc32
- SHA256
  
  e3d2cfcd73d4f98f610173031b36e4ef77771c50bdb3ec3c8b4f2734b52a73c3
- SHA512
  
  7037e51cc7e02be051e16c70ac65c10a6943640a92e91860550f3115220fb2ff78340427a4c796b411dccd803eaafc6fd5cf179432d206445fc819bd2f3df667
Score

1^/10
behavioral3 behavioral4
- Target
  
  $APPDATA/for/page_1/MicrosoftXslDebugProxy.exe
- Size
  
  36KB
- MD5
  
  6ad1c32675ecd48f15535e4a0e474e28
- SHA1
  
  2d9b200ea1d9fb6442f21bb5441072bd4b9d1968
- SHA256
  
  46b1a81f5ebb43404ac7229d14593d5f47930c8fc3fb5279ac5402507f7ea7b3
- SHA512
  
  8a425760aa2e7bbe286b2322d2413eaee42d7e386448050c46f61c461481407800ed2b5bd19beee77dd74fcb30e496d36c303d0845e1ee138babf6f483da1659
- SSDEEP
  
  384:EW2BCQspyJi6d0XsNGIEP/06V78FIISqa4ld2Cxs+NHsRo8CWewMW:fBqJbS8N7IIlaAs+NHsKe
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  0063d48afe5a0cdc02833145667b6641
- SHA1
  
  e7eb614805d183ecb1127c62decb1a6be1b4f7a8
- SHA256
  
  ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
- SHA512
  
  71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
- SSDEEP
  
  192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  6e64e5d5f9498058a300b26b8741d9d5
- SHA1
  
  837ce28e5e02788da63a7f1d8f20207d2b0bf523
- SHA256
  
  8d4b1c275fd1cd0782a265080b56d1aec8d1c93edca5ef3b050d1d20d7b61f33
- SHA512
  
  f53514d36021d79f85df2494d403f03589b3ad848889b9224f962cc932ef740f127131a914c7171ad8136ca1ef631285ea1c80576db18ccf8ea56940eb00ea1e
- SSDEEP
  
  96:oWW4JlD3c151V1gQoE8cxM2DjDf3GEst+Nt+jvcx4P8qndYv0PLE:oWp3ggQF8REskpx8dO0PLE
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  $TEMP/2006/35.opends60.dll
- Size
  
  57B
- MD5
  
  b330e04d27f2b76246c9401bb9df8405
- SHA1
  
  fea5928cf1704d14ee717bb703c65aedfb194751
- SHA256
  
  99e399e564c46308a2ec22a427f5338433a820c09ff559c8f6488be9199ed1ad
- SHA512
  
  b07555fa3fb5e11e91583c28922f5a59f09e0cc8244b3bc5e62cfc231cd4a4da080f0653d404ca9a8ab332f61e393ed17235858e84dca0578f8ae51e9b5f30a9
Score

1^/10
behavioral11 behavioral12
- Target
  
  $TEMP/SitulaCystocele.dll
- Size
  
  50KB
- MD5
  
  de3f3ceccff80b3b0cc7e8cc58357b70
- SHA1
  
  701387d5e62903e114f4bdf59cd4f89cc6b2ad4e
- SHA256
  
  18e86106e60613594527c85fe6c97287fc8c3715181a62cb2b4d2258c210b6c8
- SHA512
  
  ad16ea6af2200f7f8a8c0fd0cc1fe5c935942a8789ce057818499b1a51865bb4a0b39a4091f84a2652d2c6ea7569e3829dd5b3043b2d44083a597f3954c2c6db
- SSDEEP
  
  1536:5EOuTAjdpOExDJANAB/qepudoVoD3Qu3IEN:5yA/DJ3
Score

10^/10

discovery formbook c232 credential_access persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  $TEMP/mode/Thumbs.db/intern/ActiveSyncBootstrap.dll
- Size
  
  40KB
- MD5
  
  b59ec4aa8cc4eeb16e5567c085d5d677
- SHA1
  
  7c2442b35816e0517648a390f106910ae960f7bf
- SHA256
  
  1bf2270bfa6bafe29329f9d84c5f8856b57c84af6f3ed05027cebc4f767d07ef
- SHA512
  
  719d127a378fb16772c5a6c4b6ea6225a27ad4cd2a0d84e237faaa7a1a4e63cdd869ad2cf04b57268e393f709adea2a8aa83c6a640111d93fd2071ebdac7a470
- SSDEEP
  
  768:MzE7orC6TyNqZ7t7Ahh5E4C6FHYm6d985dgn49kjkGnUOhBpEdpb:tkTym7t7Ahh93+dqgbjXUOhBpeb
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  $TEMP/mode/Thumbs.db/intern/MicrosoftVisualStudioUI.dll
- Size
  
  3KB
- MD5
  
  9e44dec6dec0a8c055a6a48d3ee29052
- SHA1
  
  7143370f696522feb81fe920798d5792b763a561
- SHA256
  
  7d5e33d5b52f33c807c8c00273a2ade316de42012d7b915988731440194a6bd3
- SHA512
  
  94c20ac41e1e9a41d02361a8273b9c86167520f0eabb545dd7e174d2d0f53576ce374f5cd34029bb1f13c28d5cde92e406b0708d2e8ace73956749e1b8970719
Score

1^/10
behavioral17 behavioral18
- Target
  
  $TEMP/mode/Thumbs.db/intern/NatDbgDEUI.dll
- Size
  
  22KB
- MD5
  
  d98672a1094da398dd2caad207d4d188
- SHA1
  
  a510b3394bb8f5bd2bff086dd5a874a9af762e77
- SHA256
  
  dbc470b89daeb73f6809b4df70fc0078d14fc8bc6b77a07ba479f93fa72afee8
- SHA512
  
  978af83abb1dfcd78e4a1074d15eeeb1322fd1261c4071623b3c6a0d05a470ab85afeaaf7eb244c3ce106875e23f5c0487daa1d523460a8f8283d0a1b5f08279
- SSDEEP
  
  384:4WswcEWTVjEBNRTDJp6Np1Od8zUXt5tqdPJbUOwjAw7j1/Og:8lVqTDJp+p1OaYt5tmbUOwj
Score

1^/10
behavioral19 behavioral20
- Target
  
  $TEMP/mode/Thumbs.db/intern/PermCalc.exe
- Size
  
  28KB
- MD5
  
  c2efc9fcbbf2d6952110fea17841b71e
- SHA1
  
  4860494e79e88beacb0155584056699adb073f44
- SHA256
  
  57f248daa64d83c215189a3d38b9692f93125273ee046328febe33e69df01ded
- SHA512
  
  5aa7033b6b9de91c309554b354d47d63c08d15d4d5ebe4ac6e98e059873c74149c869dea731a2754ca31dee526f27221cd210555693e5f6886cc26d271f39ae0
- SSDEEP
  
  384:xL8f6BoGrFTth3SAUnZV7OKAyXSKglWYbW:98iBoGxtSHqKgB
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  $TEMP/mode/Thumbs.db/intern/Vsa7Director.dll
- Size
  
  37KB
- MD5
  
  6db03aa5dfe458e7a4e21d9688d3dcd6
- SHA1
  
  256e539c011697a8983c8a609e21cdedd4d59ecc
- SHA256
  
  fcba2ff7bce5ba6c0a5188cfde82009c7acd6b14cb14ce390ab5a49773a425b4
- SHA512
  
  0a5e16a993b3c2afcc8326607046ca509d2ac63682f99a149cd539e474ed6062f54b5c6b02bb8272c271ca0bccb48c08b75d18cb4ec5350d99ec885e25de8ecd
- SSDEEP
  
  768:r5Eiu+UuJwO3YkHr05FLsHNqW/hks6qrJ/Ejv7Mbk6huUc9zhX:fuDuyO3YiIAHNqW/ms6qrJEv7Mbk5UcP
Score

3^/10

discovery
behavioral23 behavioral24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Credentials from Password Stores: Credentials from Web Browsers

Formbook payload

Adds policy Run key to start application

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Formbook

Credentials from Password Stores: Credentials from Web Browsers

Formbook payload

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24