formbook | b4797a0d1fe9fb6f6e293174113163d715e9e3e3ceed1456cce8108f803bff86 | Triage

Sharing

General

Target

8702b3a38be01053d035b1ac848dc09b_JaffaCakes118
Size

465KB
Sample

241102-w9bhaasdmk
MD5

8702b3a38be01053d035b1ac848dc09b
SHA1

a6bee8f41ff1b27612bfb5b124a5c26f140cda8a
SHA256

b4797a0d1fe9fb6f6e293174113163d715e9e3e3ceed1456cce8108f803bff86
SHA512

bdb3e0171888acf5f3ce968104e66e5b566e153e29688dc1b7d3e4b987f197482c85a78342eb0490d2d56a40c0e9d6c1b8b1e95667c85377f8611824142db0cf
SSDEEP

12288:zn88KwqqRDU8hXgutMMT6Bq1SSkEc3+b0Zd48XG1W:z8lmgkMOaYY4sG

Score

10^/10

formbook h328 discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h328

Decoy

fallparent.win

99h2o.com

urgamesim.com

mars.black

cftbry.tech

nvaudfsd.info

promisedjuan.com

glezonetz.com

greater-cheaper.com

jdxycj.com

vdccpcucullate.review

www310bf.net

safenightsguardianangels.com

sabaddon.com

waxwipe.com

wout.ltd

orderlerapps.com

content-protected-s3.com

lovinglyyours.online

lockandgomadrid.com

Targets

- Target
  
  8702b3a38be01053d035b1ac848dc09b_JaffaCakes118
- Size
  
  465KB
- MD5
  
  8702b3a38be01053d035b1ac848dc09b
- SHA1
  
  a6bee8f41ff1b27612bfb5b124a5c26f140cda8a
- SHA256
  
  b4797a0d1fe9fb6f6e293174113163d715e9e3e3ceed1456cce8108f803bff86
- SHA512
  
  bdb3e0171888acf5f3ce968104e66e5b566e153e29688dc1b7d3e4b987f197482c85a78342eb0490d2d56a40c0e9d6c1b8b1e95667c85377f8611824142db0cf
- SSDEEP
  
  12288:zn88KwqqRDU8hXgutMMT6Bq1SSkEc3+b0Zd48XG1W:z8lmgkMOaYY4sG
Score

10^/10

formbook h328 discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookh328discoverypersistenceratspywarestealertrojan

behavioral2

formbookh328discoverypersistenceratspywarestealertrojan