formbook | 8e174883f3534b9cc35a7f6abe7afcd110d8a147087e29f40e8a697f4de0e04c | Triage

Sharing

General

Target

JaffaCakes118_8e174883f3534b9cc35a7f6abe7afcd110d8a147087e29f40e8a697f4de0e04c
Size

450KB
Sample

241225-xvy6gatngr
MD5

9115a1d035a724f464b4715b882572f3
SHA1

9cd83e27f0d26b740ba86d6c2a7ed4eda69abafc
SHA256

8e174883f3534b9cc35a7f6abe7afcd110d8a147087e29f40e8a697f4de0e04c
SHA512

71bb9f8c3a8b1928d4c097e638b7563e4f7a3d122fea210ea521a1de2f372b0cad5eda0a6e446ae94b4c066613b8ab18300f7e0f0e0e053e1db469d3bab8e6d7
SSDEEP

6144:3d9MtK085dGNT3PC2NRyeKjhCsPBl6x/AX9YVylTD3yq7Q3aDGQkSZ77t1mVHQ1h:ty386N7C2mZsjAhDCq8BzSdwa6Fl4

Score

10^/10

formbook svh9 discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

svh9

Decoy

jejupassive.com

schoolrepetit.site

ganfraud.com

kuoretkauppa.com

bgdocs.online

climatechampionsfund.info

lamaletadeagustin.com

jessicaolear.com

oncologyacademe.com

aurum.academy

thaliasoap.com

tempeindo.online

alnajem-law.com

eracab.com

ozerk.site

3drinkmin.com

synergygroup.fitness

foundyourlabel.info

bonniebagay.com

wcncusa.com

Targets

- Target
  
  Remittance Scan DOC-2029293#PI207-048.pptx.exe
- Size
  
  602KB
- MD5
  
  7619630836e31219892819641fc56773
- SHA1
  
  23ca70fb00964a3059a6838bc906a511741a3d38
- SHA256
  
  4bbda63f732b2341b67208a1f237db39488fed540f55ee994a641a0a133ec0ac
- SHA512
  
  c7703054434c9c3c2a7074e470f89d61c8455fb466e14a34b436460c1bd17299a5976d87b504a695c52f04d4f6ca9dc4f697a18bc9f8e17baade5bda175467a4
- SSDEEP
  
  12288:6+ZRT7+v5UH3Tyzgj3pIXMRg9A1GKZHNYPzodG5hIE8Tv:6e+OH32EDSX0oA1GUKzodG3
Score

10^/10

formbook svh9 discovery evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooksvh9discoveryevasionratspywarestealertrojan

behavioral2

formbooksvh9discoveryevasionratspywarestealertrojan