formbook | 895fafaba3dd9be186361c1532b486678371684b42018ca3902306a1b43b1d63 | Triage

Sharing

General

Target

JaffaCakes118_895fafaba3dd9be186361c1532b486678371684b42018ca3902306a1b43b1d63
Size

1.1MB
Sample

241223-syqahstlcp
MD5

2fecc74eb9e6b3c6bd3a3608bd31f937
SHA1

720aec66186548b4f24e11ad393e994f71d32b44
SHA256

895fafaba3dd9be186361c1532b486678371684b42018ca3902306a1b43b1d63
SHA512

0f2be3931058823bb2c39aeeb50801ec882ef6dcc53a6a78fc30668e15662b50f4019c9cec04f877db1c7ea6880c5499dfebd3e6d69ae76c72184a607a17cf79
SSDEEP

24576:MMhOIl9kkc2fOVeTk0L/WRtNe5uFp2HBjugcIttc3GuQ2:XOMkd2fsw5C8E2HBRPtIGuQ2

Score

10^/10

formbook ubpr discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ubpr

Decoy

ptpVli2do9q89N0=

+CSLnNslIIErRTE3deUw4HXnuqwqG4+WpQ==

5IBw+rDmyajH6J9b0Gc0

ITivu/UzzGQKCQ==

qNw+VJ7Ni+WT3pA2e/8=

6VzmXNT+607aCN1UmHCt1CjO

a+xfszZjSqdZhCfX5fXnJkJFIsuN8Ns=

DLyp4MD0xUCL6olI

kysKo0J45suL6olI

oE/eN+zqkP2lyG6YYSalUA==

Rko77gUFcKTQFA==

cW14AsnTkUOf0N6ODWjpj7S6nRI=

M9yx/sTJbmx2vzUeWQ==

SQJdWnStlfaz6J0M04r3MN8=

FLhBiiYfyjfZFOdgHU1SfmVhAGgV

nKgaME1YHRs+cHTkn4oI3ibO

vuZIRIyKMaBGiUl9iaiZxNc=

UPnZdBQV1nzxKB1N

iARlleEZxTSL6olI

w5hz+KfftpWkwox0yH7vo0GrwW7RjWVk

Targets

- Target
  
  a52d0bc31a250c5dd5c84c75fca9b965955297d20f582d79849c17fb59c4c04f
- Size
  
  1.2MB
- MD5
  
  8f6f8bc43de5fbdddedb774a22e3dca1
- SHA1
  
  3f48029084649e39963710b0ae114b4663d48e68
- SHA256
  
  a52d0bc31a250c5dd5c84c75fca9b965955297d20f582d79849c17fb59c4c04f
- SHA512
  
  ff48e557c37a8ebda2d9504727681dca35353003e87369e5462fb20a1c4746fb998200130b23518288a2bf7c4af06e8853937251af7b2c17e94a46d39b991797
- SSDEEP
  
  24576:7AOcZX4ctcwhwheT60L/2NgeSMj5HHeg/cbGOSMIEn:dPwhUwvfe/5HdYGOSMV
Score

10^/10

formbook ubpr discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookubprdiscoverypersistenceratspywarestealertrojan

behavioral2

formbookubprdiscoverypersistenceratspywarestealertrojan