formbook | 05c716360dff99968723b29aad8a4a961c74db0a4225bfa2c036ed410c3a9d37 | Triage

Sharing

General

Target

JaffaCakes118_05c716360dff99968723b29aad8a4a961c74db0a4225bfa2c036ed410c3a9d37
Size

480KB
Sample

241224-amg6nawmdv
MD5

da11ed7a47b23f3c0cea17e32ddb5abd
SHA1

2d5e355b4c4a760bf41fde69b5148635f8285478
SHA256

05c716360dff99968723b29aad8a4a961c74db0a4225bfa2c036ed410c3a9d37
SHA512

752e7a892e63d6bdef7ae656d90fe3f4d806d7b0f2c6b58ec6bc5b8c430c537a2429748b8d8d44062d5b5445b2d36f06fbd6fc877d1209565fa61ab881dd03ca
SSDEEP

12288:Jh1r0A2+9ANRhKtP06Iy7mfLYGSsYz+Y9:Joxhp6wfLYGq

Score

10^/10

formbook nr5c discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nr5c

Decoy

solitairejqk.com

e-chew.com

javnfts.com

riotgadgets.com

whxwkj.com

hashtagstartup.net

misbantarkalong.xyz

2888sy.com

tuner-sell.com

backdecal.com

lnwindpower.com

neo-teric.com

provitac.info

yugenft.com

mountainvirtualutah.com

bestserviceusa.com

hoghooghi.net

maxicashprogfr.xyz

theshawarmarepublic.com

leelatoronto.com

Targets

- Target
  
  ORDERLIST.bin
- Size
  
  1005KB
- MD5
  
  2e8f7b66c45f593718e35c6f03d2a888
- SHA1
  
  08f1e682a23612bc7f1b574f14de4a2b978f0006
- SHA256
  
  2ca1fd154cb8f8f7df82b11827026c30ff1bd66840a9fc7306c4a78cf7022a09
- SHA512
  
  c0e1fc5d4d6a05b956d54908eb70ee43ab1fdb843079316bf2e1c9b06010f3a3d434d4dfe6dc5efaed1f156e457007c40eb6d491f4218d7cd7a1bd78772be045
- SSDEEP
  
  12288:O948jvBC+llKfOsskGSSO59xneQIYTBkXFYUz3S30lQY2VGamSAQdP4:OmYnlYsLmXeQIY1kXFo3eQDVZOp
Score

10^/10

formbook nr5c discovery persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Remote System Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooknr5cdiscoverypersistenceratspywarestealertrojan

behavioral2

formbooknr5cdiscoverypersistenceratspywarestealertrojan