formbook | bee560d0333b22a45f7340b3bb0a57a1e8fef6f2cd638ec60cab6dcd310cb226 | Triage

Sharing

General

Target

JaffaCakes118_bee560d0333b22a45f7340b3bb0a57a1e8fef6f2cd638ec60cab6dcd310cb226
Size

968KB
Sample

241226-vwglpssmep
MD5

4c886fde6ff10b8cf006a3f9cde9a639
SHA1

9fb1d0df2f47358db23e096ece136cda32632a03
SHA256

bee560d0333b22a45f7340b3bb0a57a1e8fef6f2cd638ec60cab6dcd310cb226
SHA512

b3f4da2e60673c154b4838c22779489d94fec3f6147abf3fbea03659dbf9d48b32c8cbc018ff87d8d0b0fd17c5fb32a9461842b7e84bf7500302bf934f5e3077
SSDEEP

24576:mVaFALs03HjKFWpA7S5r2x9wPzWIDY/JkF2qq:mVauY02QGG5r2xVA2qq

Score

10^/10

formbook c5u0 discovery evasion execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c5u0

Decoy

therapy-bar.com

tronqq.xyz

uniquehaxball.com

hornyhank.com

wanggongting.xyz

sgjndw.com

bigtexaschl.com

bluemilkncookies.com

itimamae.com

palpite.me

404x95.xyz

ham29.store

qualiscotech.com

txsret-gc.com

anthonyroofingco.com

lhfhgy.com

royaldutchapps.com

pandodns.com

xn----7sbbi0bxfbjxd.online

usbcamera.online

Targets

- Target
  
  9433bad28e2f5b93f26ef692353bf1fbb7f51bddb3e3780446893c10b9f8f6f3
- Size
  
  999KB
- MD5
  
  102a8198e3fb713f3cf3f77a1f0c4040
- SHA1
  
  41465c7ebb50e1202354974841f0c542733b1d98
- SHA256
  
  9433bad28e2f5b93f26ef692353bf1fbb7f51bddb3e3780446893c10b9f8f6f3
- SHA512
  
  571322371df8ee0c21c118e314ffd8299c049f7616870acc6d30ae4bcbb85a7f312d85b1db6cc89fb9b11e1fc20873809ea19b72b5cb3b05bcbc1d86c158c566
- SSDEEP
  
  24576:pBhEA9CBESBU1rvEQP7XaDRngG+sjzX7vG0Mh+dgUhuiiz:DhEAMBTBU1zEQra6G+2e0k+LhuR
Score

10^/10

formbook c5u0 discovery evasion execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookc5u0discoveryevasionexecutionratspywarestealertrojan

behavioral2

formbookc5u0discoveryevasionexecutionratspywarestealertrojan