formbook | 470f69dc7b80ae3158420bd7b54fdda944a02fa15c4236686d5f81b5f72966d8 | Triage

Sharing

General

Target

JaffaCakes118_470f69dc7b80ae3158420bd7b54fdda944a02fa15c4236686d5f81b5f72966d8
Size

133KB
Sample

241221-xgdydawnb1
MD5

278074bd83a21419d1b7b8137c49483f
SHA1

576332f1e2e8e4fc95d8e7e1375e37e588c1e855
SHA256

470f69dc7b80ae3158420bd7b54fdda944a02fa15c4236686d5f81b5f72966d8
SHA512

fa30d5535ba27664acb849871ade961ae5cb1421cc34561b412ecb45c0af11fe0215edbcca461b06d9e9fbcef34d429a85ca350e3eae2d147d0dc82eda11d741
SSDEEP

3072:IBjbb836JtvJxIxvPQGNbXCCIPESllhpYdd5Yq7gHbxpEtQ13Pu4E:6Yq7U5QIbo8SDhGdPMHUtqPw

Score

10^/10

formbook zvf discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

zvf

Decoy

slimytrout.com

ericdykema.com

pennystanwayart.com

auliawijayadecor.com

iyundun.com

postforearn.com

xn--4dbaigbvbe5b1a.net

fishhousemarketandgrill.com

cqweb8.com

serverauthcheckmate.com

betterulasy.com

karenhoverrealtor.com

etigia.com

yinggehong.com

brandprtex.net

pusatcpanel.com

reidec.com

ajscghy.com

tvdajiang6.com

freightlogins.com

Targets

- Target
  
  formbook.bin
- Size
  
  181KB
- MD5
  
  ab063fa349f25116b15276ad1e2251d7
- SHA1
  
  ddcdf4314f2c187d04a066380d97959e62c34dbd
- SHA256
  
  dc769e89feccc886334377b01f29dfe4b36c3266c2df8c88ca704919d0b1b938
- SHA512
  
  98abbe10c466b8798093963a479fd8bffcc8027feb2be361a092a98ea32f4960a1dc0e14bbd606752db3950fdb84b17763c81db6911390c88c91fbbacb56687c
- SSDEEP
  
  3072:/qpUoiXhkew9hCgu9gbxNkqqh7vIu+fiL2+TLmym/yyA2jh:Dxtw6gOuxaqqh7+aKsCymqHwh
Score

10^/10

discovery formbook zvf persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookzvfdiscoverypersistenceratspywarestealertrojan