formbook | f567b5072eeb0de2b0c5b921df391ff7ea75996450a39a9eb3202b3eeb33232f | Triage

Sharing

General

Target

8293cfc29278bb798485c76761a79e84_JaffaCakes118
Size

1.1MB
Sample

241031-k4vs7avhma
MD5

8293cfc29278bb798485c76761a79e84
SHA1

4afbbf0994bf0147c8238dc2b7602728201bdd83
SHA256

f567b5072eeb0de2b0c5b921df391ff7ea75996450a39a9eb3202b3eeb33232f
SHA512

6e31a1738d94ec1a51497b67da05bc07aed569a7042ed4ab1ddcb295042db352c9500deeb2a7e7efe5be052bd7a7f700b133d4e50aeec25ba61114ee6b8d8a9b
SSDEEP

12288:WSNiWeZwuKkZbe5KJfD2VXmcjM1zz7bhnF5Y0NPM2yaUVKnp:mWeSdkxCjjMJz7bhnFm0NPoahp

Score

10^/10

formbook obow discovery evasion execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

obow

Decoy

hinetin.net

narrativebusters.com

jesusmusicatl.com

mywellnessbooking.com

830272.com

mainrein.com

kajeoneworld.com

directaccesss.com

igsecretos.com

campbone.com

socialvidiots.com

abditrade.com

purisopropyl.com

opticalapparatus.com

staveoffboredom.com

evinja.com

onlinebusinesstoolselector.com

todayonly2.info

elitedesign-dz.com

zgszgw.com

Targets

- Target
  
  8293cfc29278bb798485c76761a79e84_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  8293cfc29278bb798485c76761a79e84
- SHA1
  
  4afbbf0994bf0147c8238dc2b7602728201bdd83
- SHA256
  
  f567b5072eeb0de2b0c5b921df391ff7ea75996450a39a9eb3202b3eeb33232f
- SHA512
  
  6e31a1738d94ec1a51497b67da05bc07aed569a7042ed4ab1ddcb295042db352c9500deeb2a7e7efe5be052bd7a7f700b133d4e50aeec25ba61114ee6b8d8a9b
- SSDEEP
  
  12288:WSNiWeZwuKkZbe5KJfD2VXmcjM1zz7bhnF5Y0NPM2yaUVKnp:mWeSdkxCjjMJz7bhnFm0NPoahp
Score

10^/10

formbook obow discovery evasion execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookobowdiscoveryevasionexecutionratspywarestealertrojan

behavioral2

formbookobowdiscoveryevasionexecutionratspywarestealertrojan