formbook | 6f9b085602e501a7689153410afd18c36e638b43c2e6e552ae5cf4c8760d68e3 | Triage

Sharing

General

Target

ff2b5ddd7103aaf61528844199911815_JaffaCakes118
Size

567KB
Sample

241219-kh522axkcy
MD5

ff2b5ddd7103aaf61528844199911815
SHA1

c32dd351f06a6c47d5e5055fb18837f43f032ae9
SHA256

6f9b085602e501a7689153410afd18c36e638b43c2e6e552ae5cf4c8760d68e3
SHA512

f5282eadc9794144f2e43804470c9a8afafe7dea4eb918648963f656d3ee1d97e81924b8692ecc1edba7aac5ad7e675a419f02f4aa93f393368a82276ce5ad5e
SSDEEP

12288:MAQK5lhUBcKyou6Tj0qhjMgOGKrITHmMf1fy:X/5rUBcK5hjPtOVrIFfty

Score

10^/10

formbook jw9u discovery evasion execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jw9u

Decoy

myhvacdeal.com

therizks2022.com

belondo.com

selflovewithallie.com

fkdosdz3.xyz

2commacluboffers.com

beyazyakaetkinlik.com

5sensesbranding.com

clesioalves.com

home2.xyz

talulaboutique.com

marketing-republic.com

mappilog.com

n1a.site

berlinspecials.com

iphone13.media

healthrapidlab.com

outdoorteakgarden.com

i0bqd8ny.xyz

chairzon.com

Targets

- Target
  
  ff2b5ddd7103aaf61528844199911815_JaffaCakes118
- Size
  
  567KB
- MD5
  
  ff2b5ddd7103aaf61528844199911815
- SHA1
  
  c32dd351f06a6c47d5e5055fb18837f43f032ae9
- SHA256
  
  6f9b085602e501a7689153410afd18c36e638b43c2e6e552ae5cf4c8760d68e3
- SHA512
  
  f5282eadc9794144f2e43804470c9a8afafe7dea4eb918648963f656d3ee1d97e81924b8692ecc1edba7aac5ad7e675a419f02f4aa93f393368a82276ce5ad5e
- SSDEEP
  
  12288:MAQK5lhUBcKyou6Tj0qhjMgOGKrITHmMf1fy:X/5rUBcK5hjPtOVrIFfty
Score

10^/10

formbook jw9u discovery evasion execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookjw9udiscoveryevasionexecutionratspywarestealertrojan

behavioral2

formbookjw9udiscoveryevasionexecutionratspywarestealertrojan