formbook | 69894b72ab86939a0a2ef7344f00ced587d007df6cf37b4783ae3537b33c125b | Triage

Sharing

General

Target

f899b9cdd81c22ad60433df100898401_JaffaCakes118
Size

180KB
Sample

240926-r6ptaasfnq
MD5

f899b9cdd81c22ad60433df100898401
SHA1

faed3c7eaaf23bc97dc21ce524bc832b72db3b17
SHA256

69894b72ab86939a0a2ef7344f00ced587d007df6cf37b4783ae3537b33c125b
SHA512

44fc4ae93b0ceee05ffcc7d683d6bbd432713a23e24afd2de49a5f8ce49e4b16a2a85bd4f4fab8cd0c5b2d228d9ea90eac2f34bc59345768a79bd24e6bc84e8d
SSDEEP

3072:Q0+6vqeqooPhxuy4nj+YpA9+RhIaW8bE3MsOzrLzILya8qzi4jRkKqm9QZP5eC:bjopxuLj+l9TJ8pcL6ei4jZB0P5eC

Score

10^/10

formbook yx5 discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

yx5

Decoy

ruwbx.com

jasapoleslantai.com

win.xn--io0a7i

ivy0923-aoba.com

petrotaha.com

martinmetlabs.net

centredetherapiebreve.com

pinemountainclubmoderncabin.com

top-tovar.online

wissen-und-kritik.com

preloadmypc.com

client76215.review

mobiledownload.tech

ycphotoshop.com

yimengta.com

bersyedih-4.com

miningbitterweed.info

guitarform.com

dtitc.com

blackhoot.com

Targets

- Target
  
  Invoice8252752.exe
- Size
  
  318KB
- MD5
  
  8ea255af1117e83b0c6c4cd1f7ff4eab
- SHA1
  
  4c3870aef757ca5efcdc324239a8744ed20c10b9
- SHA256
  
  e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
- SHA512
  
  9a4b185b1836683aec23e037377059d6416c204b4d71fc34942eba0f8d8091a24688d3a1a7f737459bd79ace09b601b8cd72de11616e4eef214c12f0ab54a474
- SSDEEP
  
  3072:i/2HRMd/qiEcHUFFms+qCNkkiY0ndiH+Q9y+IZrToLpQwATrJd32Q3z84XvZGX:yQRM1f/0FT+k9YuSFKToVQJrJv3fXvw
Score

10^/10

formbook yx5 discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookyx5discoverypersistenceratspywarestealertrojan

behavioral2

formbookyx5discoverypersistenceratspywarestealertrojan