formbook | 40b17b75ffcad397037fd4a0df3ff382a2a8e9ec03c0035c46ab822b856b9c7d | Triage

Sharing

General

Target

40b17b75ffcad397037fd4a0df3ff382a2a8e9ec03c0035c46ab822b856b9c7d
Size

1008KB
Sample

240924-xm5naazarl
MD5

c6d0893137d087f03c3203a4890921de
SHA1

03e8d84e9000fac0426a0fe572617fdce2d66d4f
SHA256

40b17b75ffcad397037fd4a0df3ff382a2a8e9ec03c0035c46ab822b856b9c7d
SHA512

cc79ef4edddfd23f35255815f5043a112fe604f66895d492e3e7d3638d584ff5c10e7f1bc8c86cdf64bbe215aa29c054d053452565c702b7b778587fbc097991
SSDEEP

24576:LJ9fJrsUJyY1oZCN6aDfTUL1LCZUyxDAk999mY7p7ww:d9fJwe1BDbUpCiyxDAm3p71

Score

10^/10

formbook e62s discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

e62s

Decoy

ellinksa.shop

uckyspinph.xyz

owdark.net

arriage-therapy-72241.bond

w7ijko4rv4p97b.top

heirbuzzwords.buzz

aspart.shop

ctivemail5-kagoya-com.info

shacertification9.shop

zitcd65k3.buzz

llkosoi.info

ru8.info

rhgtrdjdjykyetrdjftd.buzz

yschoollist.kiwi

oftfolio.online

rograma-de-almacen-2.online

oudoarms.top

mwquas.xyz

orjagaucha.website

nlinechat-mh.online

Targets

- Target
  
  www.exe
- Size
  
  1.0MB
- MD5
  
  b6fded66a1bf362c4ef98883f04b53ac
- SHA1
  
  aaa5e105742754c5b250276e916e13ea34613560
- SHA256
  
  3218d9e3413de3fc262447ccddd5f9f458c82abdb96943e830dfc3ebeb1a1de5
- SHA512
  
  17ce4adce92925b137cf4e3cfdf8b43c705cdf949a139ad2de77fe2579debcf72c0b2d3ab43e58593d66e0167e3e02d9164953c51041006df9a2560b6e297108
- SSDEEP
  
  24576:lexvf1XsiJ6Y1GxCNEaDfTeLfbCFUGDBOkv95m27R7w:svf18K1ZDbefCuGDBOoXR7
Score

10^/10

discovery persistence formbook e62s rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Formbook payload
  rat
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

formbooke62sdiscoverypersistenceratspywarestealertrojan