formbook

Sharing

Copy URL

Twitter E-mail

General

Target

d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118
Size

345KB
Sample

240911-fzr5aavfqf
MD5

d9af5dd07a77a24d5499164aed22dc0a
SHA1

36aeb648e254ff72689ef8c95ab5851f95c8a73e
SHA256

5113f7698c80f8183b0fd72ff91adeed308b93937fc9ca9aefb8d7f878569fd3
SHA512

29328a3081a6939d370ae5d039490a3637b24d7c8f7420fa0d7e5f33d31b60fdbea2286d42580ba40b5a8d05c962616b59765b7ad4fe82bde340d9c11a90a1e7
SSDEEP

6144:S58/+dBOIfjkkODm7aNXcdVcUdc+1znmBDFV1ZE3furMpN0tKPo3/3Y:NkOYLODm7aZc1dnzngTZ2u0xPy/o

Score

10^/10

formbook ik credential_access discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

aktfh.com

gzxcserver.com

ollgabruell-fengshui.com

peggyhaddadinteriors.com

tamoxifencitrate.store

dongygiatruyendactri.com

dosti-desire-thane.info

hidejunkie.com

client76212.review

chopaankabobhouse.com

sboz1.com

oilbularya.com

peachyfindz.com

chroniclephotograhpy.com

ynherbaltea.com

lirong2019.com

coolcloudhvac.singles

ruimingwuye.com

xinyue-vip-qq-dnf-com.site

binaprimamultiutama.com

Targets

- Target
  
  d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118
- Size
  
  345KB
- MD5
  
  d9af5dd07a77a24d5499164aed22dc0a
- SHA1
  
  36aeb648e254ff72689ef8c95ab5851f95c8a73e
- SHA256
  
  5113f7698c80f8183b0fd72ff91adeed308b93937fc9ca9aefb8d7f878569fd3
- SHA512
  
  29328a3081a6939d370ae5d039490a3637b24d7c8f7420fa0d7e5f33d31b60fdbea2286d42580ba40b5a8d05c962616b59765b7ad4fe82bde340d9c11a90a1e7
- SSDEEP
  
  6144:S58/+dBOIfjkkODm7aNXcdVcUdc+1znmBDFV1ZE3furMpN0tKPo3/3Y:NkOYLODm7aZc1dnzngTZ2u0xPy/o
Score

10^/10

formbook ik credential_access discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Formbook payload
  rat
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/Splash.dll
- Size
  
  4KB
- MD5
  
  3f35f73787f0c3bb5e59445fb18ade0d
- SHA1
  
  f1566faff96c3988cfc28dc7d433094b6348cdbf
- SHA256
  
  5570969d22a33c23b60c5f5536f781219e458a869b77b8dde4a94cc124ee4de6
- SHA512
  
  45c42ea95f53a3b8a3fd74bd55ad6f0b3f2b91dd969104de845fd819fe307dec2b4d472bee45554500b0c51052ee82ac98196e894af806edf67a947328474e57
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fbe295e5a1acfbd0a6271898f885fe6a
- SHA1
  
  d6d205922e61635472efb13c2bb92c9ac6cb96da
- SHA256
  
  a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
- SHA512
  
  2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
- SSDEEP
  
  192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/UserInfo.dll
- Size
  
  4KB
- MD5
  
  7836f464ae0102452e94a363b491b759
- SHA1
  
  59909a48448b99e2eb9cd336d81d60764da59f31
- SHA256
  
  11adf8916947b5a20a071b494fa034cf62769dcc6293a1340b29a5bb29ac8e87
- SHA512
  
  5ed63eefa1b3b3caad4cb762ccb8419c05bcad3da3a7415235cda2d2a1f79eb018503ca30a0a92d6b72160327decea9a70c48e0c28de94dd67303d4aea4a02db
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  $TEMP/coffer.dll
- Size
  
  34KB
- MD5
  
  9efcdaec062823e9749250da225dfe4d
- SHA1
  
  1d6209a71c061729683ce81890f2d8c0c02c6e05
- SHA256
  
  04904de1d15bb931cf85eadb7714bd53f7236de0fbc1f62c22aafb3470ff847c
- SHA512
  
  b7faee0a4c769ee39fc11fe20c6ec362b6802e9fd7f81d8a495f1423263af8074cf995c1ff8d964680c10c3026e69ddb66e749b9b29784309502d805673a720a
- SSDEEP
  
  768:tyxfTX4H2MoxHO1iB94vJfIhdV2GLkBrNj2+QE8u8VP:sfTX4zo85w+pa+J8f
Score

3^/10

discovery
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Credentials from Password Stores: Credentials from Web Browsers

Formbook payload

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10