formbook | 18ac075f03eecd2591e09339d952b331804eebe240185dfd4601db744b081577 | Triage

Sharing

General

Target

JaffaCakes118_18ac075f03eecd2591e09339d952b331804eebe240185dfd4601db744b081577
Size

427KB
Sample

241224-dmgrnszqcw
MD5

c74b319dd89d5bc3266bc518d8c7b1b0
SHA1

a47960c1c24f2f74f4d463fc858c293b400e373d
SHA256

18ac075f03eecd2591e09339d952b331804eebe240185dfd4601db744b081577
SHA512

f51c3dbd01c4b281ebee8307aa8df20f7be90962aa29da7077db75181eb4942451f619216073358ad7599f7bcf67e2ae3bd300b89c0e180f3b67dcd8a85cfdd2
SSDEEP

12288:dpk6baSLtqsM+ZEP4LqY2rZMYWV1O7YJW/0l:3FayMcEP6mrWV8Ml

Score

10^/10

formbook x0h discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

x0h

Decoy

kairos-go.com

news3091.photography

champlin.biz

callmekondoor.com

makrobet109.com

schoolwearworldwide.com

abelabramyan.com

szbtps.com

okanega-karireru.com

goldenwestflooring.com

hemptactics.com

fshsst-ar.com

securityupdates2.site

lhot.ltd

mgaklubspa.com

benefitsofcrossfit.com

stuff.blue

yingjia168.com

audio2mp3.com

live-outlook-login.com

Targets

- Target
  
  1.bin
- Size
  
  743KB
- MD5
  
  23713e079ab57e334b8cb4116e7a1318
- SHA1
  
  7f1a8448ccc5ccf5e3758055f89ee156e1a17ff6
- SHA256
  
  c89757583d8df1ff56a4a8a4efa66666d02af3807b60cd058031afe1aebaeda8
- SHA512
  
  134aa0ab39d5f4241362753c9a414542673a66ccebea89910ce867574e5075c880052f89cc946e1d735e904eef2685c8598c4f39ec82a5c54c60a1e5a47e43b8
- SSDEEP
  
  12288:bxojH5jdL/KyCR7PqRo2YQLa3RFC7cvoLTKF99AQ056islwo8ZHo:+ljBKnRIIQOhKcCTKFPAQ05Dslwb5
Score

10^/10

formbook x0h discovery rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookx0hdiscoveryratspywarestealertrojan

behavioral2

formbookx0hdiscoverypersistenceratspywarestealertrojan