formbook | c9fd4faec6e143563890f5fa1008ecf9d66fecfef294b883a65439dd71dd8b8f | Triage

Sharing

General

Target

JaffaCakes118_c9fd4faec6e143563890f5fa1008ecf9d66fecfef294b883a65439dd71dd8b8f
Size

861KB
Sample

241226-yfkj7swqfv
MD5

e4c7354e13173fe4d3080698e2524ca5
SHA1

952969c194227f9dcd8d9c0eb65b2f72ce9bc0af
SHA256

c9fd4faec6e143563890f5fa1008ecf9d66fecfef294b883a65439dd71dd8b8f
SHA512

34988e2763a510b999e8aa21eb723527eb8b30893cac4ecdcb96b1733a249f5a4512c29a51d11e2fdfaf59dc8bed4accb1621aca6aac8d2443f81742aca9bf6a
SSDEEP

24576:rn71TaLC/gCptm+OrGy91JytbVNGstjITWAgYxYOSdu:jFBgbt4xxjTYyOSdu

Score

10^/10

formbook ch24 discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ch24

Decoy

tmicp.com

lauriceiker.quest

neighbor-works.com

santiemprenderich.wiki

thecraftytxdogmom.com

abramolfactory.com

prettylittlesoles.com

thistimeandilove.space

imperialshaving.com

aflorideallgarden.com

thbfjs.com

marketmove.info

echocoins.com

ztkzw.com

sandyhookfishandribhouse.com

gamesxfr.com

frontline500.com

cbburrnet.com

boliviaoferta.com

jdzmklc.com

Targets

- Target
  
  0133_3674633_83637598_3647,pdf.exe
- Size
  
  1.3MB
- MD5
  
  c3f45e9d88589b1ff6a362dddd17c55d
- SHA1
  
  92d450501abdeb9148dc5ae2fcf20cbb98451d12
- SHA256
  
  c9ccfbfa367975e9c021bb6dc0d0bd42b31922c328a46d8547e28f11c55c689e
- SHA512
  
  0e539f253b20c1a4d59a5b44e0417d18e22f58ca1f4fe1118048c47f05d5bd2a672d7aafb63ae8501569840f98e04d61e6e15ea35fd942c903612e516b938062
- SSDEEP
  
  24576:/7E1X+6AX8B26SLmfpL8qn/ytBgXfKnks1qUhVJR1IoIhI:/uX+6Ao2FaL5natBBnks1zLR1IoIhI
Score

10^/10

formbook ch24 discovery evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookch24discoveryevasionratspywarestealertrojan

behavioral2

formbookch24discoveryevasionratspywarestealertrojan