formbook | 1601b9784608dbf5766c22a1c8e374a0982cc4a87071a4b1f96b527fe90dbf76 | Triage

Sharing

General

Target

JaffaCakes118_1601b9784608dbf5766c22a1c8e374a0982cc4a87071a4b1f96b527fe90dbf76
Size

583KB
Sample

241224-vqvalssnax
MD5

5bd647a2492f3c8a0b71c8ca404f76a1
SHA1

e0f957d18826c8672b485af794a96fdeb1b14670
SHA256

1601b9784608dbf5766c22a1c8e374a0982cc4a87071a4b1f96b527fe90dbf76
SHA512

c7441b76d0fc2cdea86c009f1112b73948be6d0f52b7645ebb00178c79aa4d72e67826f566460292da934f1082bb050bc2f9f9bafd63aa7f59dd291eb0a2827f
SSDEEP

12288:zQ6+ymq7IleOT1j79dOU5evhWtMd4uAWN6ZR+szvXlZEaw27lFtEgH1ff4:v4q7Il75NP5ect4kWN6ZkINZEaw2p/ET

Score

10^/10

formbook 4kx discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

4kx

Decoy

tenghuab2b.com

docperkins.com

xn--8qvz5k.com

wahgig.com

lesfantomesdelopera.com

ableaccessdesign.com

fraubergtour.com

conjoo.com

colemix.com

ijmpennsylvania.com

viagraboysdownload.com

primaryancientgreeks.com

mavericktourist.com

cezhav.com

zapjevajlive.info

yvpol.com

moonoka.com

pengodam.com

prubobhatton.net

exanyu.info

Targets

- Target
  
  3.bin
- Size
  
  716KB
- MD5
  
  6cfd9e4c91e40289c1336092f523fbb9
- SHA1
  
  bf2f3761187cd41996565fae116392e241e2c3d4
- SHA256
  
  bc85bf351d0f875cab0a1e3bd802665cdd6ed1afe837ab9bdf3d37aeac1e5fe9
- SHA512
  
  eb58e3ba01e8350c74e0ba90f2a564dbc196191f3dba91519ef29eaec6530bdfa561526f8dc584d402d93fa6d50558b456264d12b420378c1026159ae7b054e9
- SSDEEP
  
  12288:cj3tuU9X6XyGWHBYg/8iTCX1aZBFXXQO186Nvy6kOnPMD6RCsoP4+JW22dS8gfod:e3tLJ65WhX8iTwaZfw9xAUDC8c
Score

10^/10

formbook 4kx discovery rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbook4kxdiscoveryratspywarestealertrojan

behavioral2

formbook4kxdiscoverypersistenceratspywarestealertrojan