formbook | 95ead5f59742715dfe3b73aefd02cc41c778bdef63262431ea39188d269754fc | Triage

Sharing

General

Target

943dd70ae7ea579feea9d9bef3c30224_JaffaCakes118
Size

2.9MB
Sample

241124-m49cpasnhn
MD5

943dd70ae7ea579feea9d9bef3c30224
SHA1

3ddf2c1a0a3f8117f040340aaa4e412af52effd0
SHA256

95ead5f59742715dfe3b73aefd02cc41c778bdef63262431ea39188d269754fc
SHA512

8fefc4dc2c4467a3b75cd59066e965c16b0f9ed1f3343f850d4442ce02120aab7c77eda580dd98b1fabf87a0531eab5eeb73dba9e10af246eb1b52bfdb2cb250
SSDEEP

49152:0GBzABJzYm4/PPp5TIW6zerkrGXT7bD3qoebj6RTRXzJ3GniT/cieat3KltJTD5+:GJzYmGHvTcerk8/H3/eAXzJ3kUkbm6na

Score

10^/10

formbook 23v discovery persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

23v

Decoy

1l4m-5qeh0cgx9a.com

portsel.com

vypnxg.men

renrenbaoshangcheng.com

hulebang.com

heatburnio.com

amazingthunderworks.com

quantumreapers.com

8801i.info

moonlightmanager.com

bqypm.info

backlinkbarato.com

jiudianhuixun.com

markerbio.net

empety.com

eternalkollection.com

teknoshift.com

petitenobel.net

zlmqv.info

emotionalcontrols.com

Targets

- Target
  
  943dd70ae7ea579feea9d9bef3c30224_JaffaCakes118
- Size
  
  2.9MB
- MD5
  
  943dd70ae7ea579feea9d9bef3c30224
- SHA1
  
  3ddf2c1a0a3f8117f040340aaa4e412af52effd0
- SHA256
  
  95ead5f59742715dfe3b73aefd02cc41c778bdef63262431ea39188d269754fc
- SHA512
  
  8fefc4dc2c4467a3b75cd59066e965c16b0f9ed1f3343f850d4442ce02120aab7c77eda580dd98b1fabf87a0531eab5eeb73dba9e10af246eb1b52bfdb2cb250
- SSDEEP
  
  49152:0GBzABJzYm4/PPp5TIW6zerkrGXT7bD3qoebj6RTRXzJ3GniT/cieat3KltJTD5+:GJzYmGHvTcerk8/H3/eAXzJ3kUkbm6na
Score

10^/10

formbook 23v discovery persistence rat spyware stealer trojan upx
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbook23vdiscoverypersistenceratspywarestealertrojanupx

behavioral2

formbook23vdiscoverypersistenceratspywarestealertrojanupx