formbook | b676c82353948f50f7e978b317f1633903c5a03a99b659bcb0395109b05f6012 | Triage

Sharing

General

Target

e174a81d3a5acbb08094c63102f38e76_JaffaCakes118
Size

513KB
Sample

240915-b36dvsygpj
MD5

e174a81d3a5acbb08094c63102f38e76
SHA1

a0c3be456bb4eeb5c76c7896df3ba511f0905fda
SHA256

b676c82353948f50f7e978b317f1633903c5a03a99b659bcb0395109b05f6012
SHA512

244df2d51138ba8832ec9109294d438cb986f46b10b94477443f8c723581c0f82d374d672234cc6f736a682304838b240d7ffcdb91124f1b7ac24a530b4570c3
SSDEEP

12288:B1xd8PIcO+kOmZ2xd8PIcO+kOmZcIztkolugFnJ7:BdMk+kbUMk+kbcXobJ7

Score

10^/10

formbook fr defense_evasion discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

fr

Decoy

comptonbusinesschamber.com

roxanalabrador.com

orid.ltd

sbeaney.com

4petstuff.com

smartquality-preprod.com

vlach.site

salao-brasil.com

lindenrealty.net

redvinci.com

yellowdragster.com

fancygalaccessories.com

scalaweb.win

ditrabook.com

adler-willisau.com

dszongbu.com

mz-inc.info

mollymormons.com

financialbooster.info

nanmuxiehui.com

Targets

- Target
  
  e174a81d3a5acbb08094c63102f38e76_JaffaCakes118
- Size
  
  513KB
- MD5
  
  e174a81d3a5acbb08094c63102f38e76
- SHA1
  
  a0c3be456bb4eeb5c76c7896df3ba511f0905fda
- SHA256
  
  b676c82353948f50f7e978b317f1633903c5a03a99b659bcb0395109b05f6012
- SHA512
  
  244df2d51138ba8832ec9109294d438cb986f46b10b94477443f8c723581c0f82d374d672234cc6f736a682304838b240d7ffcdb91124f1b7ac24a530b4570c3
- SSDEEP
  
  12288:B1xd8PIcO+kOmZ2xd8PIcO+kOmZcIztkolugFnJ7:BdMk+kbUMk+kbcXobJ7
Score

10^/10

defense_evasion discovery persistence formbook fr rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoverypersistence

behavioral2

formbookfrdefense_evasiondiscoverypersistenceratspywarestealertrojan