formbook | ff50cc90850104e009b0a82ae07a0a2b785fc17d1ecdbe719caebb4e63389b7b | Triage

Sharing

General

Target

f84855dbffab4260a91fdf79fbccb9b4_JaffaCakes118
Size

307KB
Sample

240926-npsl3avdpk
MD5

f84855dbffab4260a91fdf79fbccb9b4
SHA1

a76ba5f626e9dbe40b0b68da868661ca22f9647c
SHA256

ff50cc90850104e009b0a82ae07a0a2b785fc17d1ecdbe719caebb4e63389b7b
SHA512

0954d0ad21f672379507fea0122fc61be4c8374698e997b5deea6e10b11be9020316f63b249a675e6cab60d1901a41f717ae71c3bf7bb73bd71b001b9267d0ea
SSDEEP

6144:9zIz3D+mNYJnRhFPIleZ/k2493piJXLi8fCvGN31vmyFvH:903+mknR/I0Z/r4tpoFfOG7vmyFP

Score

10^/10

formbook ch discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ch

Decoy

dfjz88.com

realtorscreek.com

pl8v5z.info

thicdienthoai.com

areauruguay.com

shimizu-yado.com

apples5.com

hothip.net

jm-legal.online

bkinfo28.online

edificiosakura.net

biodesixlungreflex.com

segurosblanco.com

atsintech.solutions

steuerberaterfinden.com

ojjul.com

udcomputer.com

grovescashflow.com

inglot-jlo.com

docteursnuisible.com

Targets

- Target
  
  Maersk Scan Docs.exe
- Size
  
  516KB
- MD5
  
  95c48652559f05a64085bfe6e35aa29f
- SHA1
  
  29b0c7589cb4404815c83a033c2b87813387e9b7
- SHA256
  
  f1def9617ca9f7ac437dfbd6d67b37af2779827c2c66b89ac80b6f6f6279f173
- SHA512
  
  95260fb7ab3d104869c3624bbf030f626f31eac4305964c71340afbe9b837299b180e5af0129f155869cc1743fd4907ca123a7c98b6f04ee8c74246041e846b4
- SSDEEP
  
  12288:ucmcDYNKgACB6CK8bWOuqynw0+je1syX/OycmcD:PDUn29qynw0+j4lX/8D
Score

10^/10

formbook ch discovery rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookchdiscoveryratspywarestealertrojan

behavioral2

formbookchdiscoverypersistenceratspywarestealertrojan