formbook | 1d001e81d92115d22ebefebc16a74c733328f1b54fc4b4ac7ee4657514ec90d3 | Triage

Sharing

General

Target

JaffaCakes118_1d001e81d92115d22ebefebc16a74c733328f1b54fc4b4ac7ee4657514ec90d3
Size

461KB
Sample

241222-hcy1esxnet
MD5

b94de58eed0eaf9473dfa92141121a28
SHA1

d755d5a823e59e6c6bb33031ae4d505dcd532c0e
SHA256

1d001e81d92115d22ebefebc16a74c733328f1b54fc4b4ac7ee4657514ec90d3
SHA512

16fbf6e5dcf0c5c653efab7a865fb12d2652c9a31dca86c3ff9b51c5701379457e7a258a02f161a07fc267a069c4553d04721730c95fe89c4105e26f518ae9b4
SSDEEP

12288:Pvxq1j3h5KOfzZg0Aui58zctL/hCk+vOZ0UMT3eC:P5Ejx4OfzjHi58zcbCpTUE3P

Score

10^/10

formbook hs3h discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hs3h

Decoy

slairt.com

teresasellsflorida.com

resouthcarolina.com

npccfbf.com

hutshed.com

westatesmarking.com

rustmonkeys.com

kagawa-rentacar.com

easyvoip-system.com

admorinsulation.com

ericaleighjensen.com

zhonghaojiaju.net

apple-iphone.xyz

b0t.info

torgetmc.xyz

lawrencemargarse.com

6123655.com

macdonalds-delivery.com

cvpfl.com

ayudaparaturent.com

Targets

- Target
  
  0535aac19775700bc13586181c92a0f4ad31d4b9f2a8a9488e025a55aa09cf1e
- Size
  
  652KB
- MD5
  
  661cdc0eabc36a6513bdcbfab2229d91
- SHA1
  
  68dfc27daa2275ec7174fecd05a445f80edf033d
- SHA256
  
  0535aac19775700bc13586181c92a0f4ad31d4b9f2a8a9488e025a55aa09cf1e
- SHA512
  
  01e203bf11614e41eb97c7a6cd9ad2343f02b4178b2cd0df979b1731de334ec013007fcda3effd5aa205641a9b3f4cd5e3338d24aca4d1999d8935a4d3a2f942
- SSDEEP
  
  12288:fGnjjX/mAWN1qJFTPUQIHu3kJF8jxYNZ8v9dNIE/Sc:faLa1qkJFf69LIX
Score

10^/10

formbook hs3h discovery evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookhs3hdiscoveryevasionratspywarestealertrojan

behavioral2

formbookhs3hdiscoveryevasionratspywarestealertrojan