formbook | a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399 | Triage

Sharing

General

Target

a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118
Size

1.5MB
Sample

241126-n1wsvswnak
MD5

a1c4645815d0ab06831f62042cfa0da0
SHA1

e3ce2d0fc9bd18ab30d589f052edce9ca410f2ee
SHA256

a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399
SHA512

a34d0c18b833f36e0698e2396270a43ed93d5d2839fa94753ad5fa4e4bf9ec8ecfb3d38f17c0384f30dde1d838c1cf462a40f14da8f430788e5e51cd0162e020
SSDEEP

24576:4SZIpRCJh5KhAEoaPMRfyT43jJ3cYp9KnZZS5R0:ApR0cjoaPM5yCJ3ck923B

Score

10^/10

formbook nff discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nff

Decoy

shinseikai.site

creditmystartup.com

howtovvbucks.com

betterfromthebeginning.com

oubacm.com

stonalogov.com

gentrypartyof8.com

cuesticksandsupplies.com

joelsavestheday.com

llanobnb.com

ecclogic.com

miempaque.com

cai23668.com

miscdr.net

twzhhq.com

bloomandbrewcafe.com

angcomleisure.com

mafeeboutique.com

300coin.club

brooksranchhomes.com

Targets

- Target
  
  a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118
- Size
  
  1.5MB
- MD5
  
  a1c4645815d0ab06831f62042cfa0da0
- SHA1
  
  e3ce2d0fc9bd18ab30d589f052edce9ca410f2ee
- SHA256
  
  a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399
- SHA512
  
  a34d0c18b833f36e0698e2396270a43ed93d5d2839fa94753ad5fa4e4bf9ec8ecfb3d38f17c0384f30dde1d838c1cf462a40f14da8f430788e5e51cd0162e020
- SSDEEP
  
  24576:4SZIpRCJh5KhAEoaPMRfyT43jJ3cYp9KnZZS5R0:ApR0cjoaPM5yCJ3ck923B
Score

10^/10

formbook nff discovery evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooknffdiscoveryevasionratspywarestealertrojan

behavioral2

formbooknffdiscoveryevasionratspywarestealertrojan