formbook | f1970e45484f0a246ae212ee63da91c7f8ee00b2c01a97922cad5519789797ec | Triage

Sharing

General

Target

JaffaCakes118_f1970e45484f0a246ae212ee63da91c7f8ee00b2c01a97922cad5519789797ec
Size

656KB
Sample

241225-tlh64sxpct
MD5

04be1648f70180f76a75419ae2a5bb42
SHA1

4c89dac95865ac6e904ec27d57077d0c127b3a1b
SHA256

f1970e45484f0a246ae212ee63da91c7f8ee00b2c01a97922cad5519789797ec
SHA512

e10012d118d40b81dc4c64f10de846226af203f39ead769bce34632df855f6bd1af9b8998bb78a7353ead37c9af885cbb921bc65da66928a836f91363156b99b
SSDEEP

12288:g0mSHDGvdT75XYhXiULVTi/Zu/UgDmwnH3pJ7lEFaT1ebYDXCN1efFG:gjSHKdT9YgULVTi/o/QwnZJ7lEM1ekXm

Score

10^/10

formbook hx303 discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hx303

Decoy

pureommassage.com

tazo.ltd

zixunzd.top

booksmaven.com

307countertops.com

hbfyjc.com

latinamericabridge.info

cannadocbd.com

doriesvariety.store

tineedst.com

zajdshj.com

xnxaxx.com

drjacobpedraza.com

sensationvisuelle.com

termteach.com

ysialerts.com

kblandscapeinc.net

sheetmatters.com

ledfriday.com

urbare.net

Targets

- Target
  
  eAdvice.bin
- Size
  
  803KB
- MD5
  
  374dfcd12791782c9f84b3dd72c47029
- SHA1
  
  5462c5daac3985aea3e1dff59f055183a62d9065
- SHA256
  
  89743e19eb7f977dab3591eda342ac51cead1a15829028a151359e845c10a255
- SHA512
  
  813de7f1e6fb3bfbcdb40d09bef3161882356f9a786e53206ed17d6e12cd2b5f2615ec619d1de850b994b857285971f03dfc59282b81e5a53eed7fed8db25186
- SSDEEP
  
  24576:7azjP6+z+2fNzDFnGNsveawUNXit980Ipulg:+XNFnFnGNsvvli980I
Score

10^/10

formbook hx303 discovery evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookhx303discoveryevasionratspywarestealertrojan

behavioral2

formbookhx303discoveryevasionratspywarestealertrojan