formbook | 8eb59f34b6e1c465b4b3c45402ed8d59fc136f024fe97d0cdf94f3c22dc20cb0 | Triage

Sharing

General

Target

b7d81877eeba60cdaee88287d4dfc1a7_JaffaCakes118
Size

1.5MB
Sample

241202-kw8p3stpbr
MD5

b7d81877eeba60cdaee88287d4dfc1a7
SHA1

5c7a31f06e48760e3da5900b8bc8e5d2088933e5
SHA256

8eb59f34b6e1c465b4b3c45402ed8d59fc136f024fe97d0cdf94f3c22dc20cb0
SHA512

2dd5843889df3f3abbf93d2eddc43f2480be2eb16a549eeadd0f83df358248dbee593240206423321f5bae2b1eb94c7e4c62721cdd956dac89a60bb099fa8def
SSDEEP

12288:+71CB0/uBEPbhrhi6l+jd7d/hiBnaLHgwBKanOLoejK9ufY/Zd8wzQ6H+Uy1Susj:CeGN1sjknKrBbOLoeUuQZOFZZS5R0

Score

10^/10

formbook xgmi discovery evasion execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

xgmi

Decoy

ivouty.icu

bgilroy.com

dgden.com

grosse-schware.com

mandos.tech

deedv.com

the724lab.com

dulcepicor.com

cupsandkids.com

albertafutsal.com

ponthierandson.com

tiendaewin.com

200garden.com

f9753.com

cognitivehearingspecialist.com

pikypets.com

dimestorecowgirlscompany.com

reefervannetwork.com

umf2.com

yoniwater.com

Targets

- Target
  
  b7d81877eeba60cdaee88287d4dfc1a7_JaffaCakes118
- Size
  
  1.5MB
- MD5
  
  b7d81877eeba60cdaee88287d4dfc1a7
- SHA1
  
  5c7a31f06e48760e3da5900b8bc8e5d2088933e5
- SHA256
  
  8eb59f34b6e1c465b4b3c45402ed8d59fc136f024fe97d0cdf94f3c22dc20cb0
- SHA512
  
  2dd5843889df3f3abbf93d2eddc43f2480be2eb16a549eeadd0f83df358248dbee593240206423321f5bae2b1eb94c7e4c62721cdd956dac89a60bb099fa8def
- SSDEEP
  
  12288:+71CB0/uBEPbhrhi6l+jd7d/hiBnaLHgwBKanOLoejK9ufY/Zd8wzQ6H+Uy1Susj:CeGN1sjknKrBbOLoeUuQZOFZZS5R0
Score

10^/10

formbook xgmi discovery evasion execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookxgmidiscoveryevasionexecutionratspywarestealertrojan

behavioral2

formbookxgmidiscoveryevasionexecutionratspywarestealertrojan