formbook | 77bf79df6d50b57cbefcfa784584e8827d5a9d8823b7d5df433f93869ccad0dc | Triage

Sharing

General

Target

JaffaCakes118_77bf79df6d50b57cbefcfa784584e8827d5a9d8823b7d5df433f93869ccad0dc
Size

676KB
Sample

241224-dj4f9s1jap
MD5

f461f267c82bd2212071754cc2de67f4
SHA1

ea0f8c3865d0793a4e124443a245fe3810aaecb3
SHA256

77bf79df6d50b57cbefcfa784584e8827d5a9d8823b7d5df433f93869ccad0dc
SHA512

737232e6997c642c3ff79a0a9d7e88c0be5e07dcc64626129afe88e2e1bc85fe138f11ea07b9eba0ddb1d910c11924098bc8eca038e18a49674c2bf324fc1454
SSDEEP

12288:QKzuVdDOF7FCxmOkWf4nHMkjWQoGHr/eYbmrBNtGVK8cPcrv4cJa8o4x:QBVkZAgWAnHMCaG/OBNe7cPkQcrP

Score

10^/10

formbook cmd discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cmd

Decoy

marksmanrealestate.com

weeiter.com

dimody.com

tufftech.pro

romber.info

2theothercurb.com

maskibeauty.com

kreativedough.com

adanacatering.com

wordzninja.com

testxyy.xyz

lifeafterbobby.com

sunsageherbs.com

dentoncountyattorneys.media

18176732933.com

fjhgllnrz.icu

cryptobankcustody.com

theinternetproducer.com

motinik.com

getcatickets.com

Targets

- Target
  
  OtKlDrIky.bin
- Size
  
  1.2MB
- MD5
  
  4dd9b0d139a7c9618fa5344e6b1387f8
- SHA1
  
  53138f14140eb1c253e7985b8385e3853e5a5ac8
- SHA256
  
  73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
- SHA512
  
  754b31faed9881071816f2f6a1cd1ae71cae4c0b0590dc22e44211fc2c33d436e62e0b9ac28881284f1e176bdc8ec414db165776391dfa7ba238baa301465ed3
- SSDEEP
  
  24576:tdbfh8PGaONqv3Dp2E4xGREkcMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM+MMMMK:vyPGaOgNfREkcMMMMMMMMMMMMMMMMMM+
Score

10^/10

formbook cmd discovery evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcmddiscoveryevasionratspywarestealertrojan

behavioral2

formbookcmddiscoveryevasionratspywarestealertrojan