formbook | 884c7ea15aba23c993192d3c0641508443f594ae71c15d068d42fe7022ad82b5 | Triage

Sharing

General

Target

JaffaCakes118_884c7ea15aba23c993192d3c0641508443f594ae71c15d068d42fe7022ad82b5
Size

238KB
Sample

241224-vp3wcssmhw
MD5

f12cba59e614a7d49d54418ac8aaa8b2
SHA1

cdf5ef0cc4e2d2cdc7a2dc23eb2bb4c9c4d26c69
SHA256

884c7ea15aba23c993192d3c0641508443f594ae71c15d068d42fe7022ad82b5
SHA512

757e21466572536a1910ae9e612a90c519cad56915ca9e707c59582d929e116480b2b298994ffb544d31927b31a097f3204dce42727d5bb483a31e17d81380a3
SSDEEP

6144:RdQK9sfU0Es+fria18ReBfJnCslm0yse770kO1/JGD13n9tI:RdnsfUxs+Oa18ReBYgJeMkmxGDNng

Score

10^/10

formbook 73dc agilenet discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

73dc

Decoy

qaimd.info

masterlatform.net

daokequan-pdd.com

danieldelcarmen.com

nissancraft.com

gwenscuisine.com

caoyejiasi.com

jobscsra.com

drinkgarden.com

kountrygirljewelry.com

bavariaimmolounge.com

tepthera.com

buzzstones.com

massagemmasculinaemsp.net

prettymixy.com

czczjy.com

yourorder.win

bridgesbecrazy.com

669usf.info

keithnewbyartgallery.com

Targets

- Target
  
  41f341ae994cf53488e0a96a6a531c9ef26c31ad763b7f858b278657051be31d.exe
- Size
  
  532KB
- MD5
  
  b2f556607df50936eb1c0664034427ba
- SHA1
  
  7ca4894a3804e721e85d31941bec38170099226e
- SHA256
  
  41f341ae994cf53488e0a96a6a531c9ef26c31ad763b7f858b278657051be31d
- SHA512
  
  a1ded171b38c3e5a37dba096e8c04b19c7cd3e46587b7681c00df2baad1e28a2ac917857e0c59de7448ed353383dc6b75c4f2cd93804028e05223bada11b471a
- SSDEEP
  
  6144:VaUDG3Kp1D6VEJD6LpypZ5xw6ZzzyJ9VecftKGjiqG4ErnbST6n+lDAAG8:VaUDd76VEt6QpZ5x+ltBmqG4ErmdAAr
Score

10^/10

formbook 73dc agilenet discovery rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbook73dcagilenetdiscoveryratspywarestealertrojan

behavioral2

formbook73dcagilenetdiscoverypersistenceratspywarestealertrojan