formbook | eedbbe2b45d3dea47ddb5b56848edf35f0439ec68bf2767ea985d28b4834db0a | Triage

Sharing

General

Target

JaffaCakes118_eedbbe2b45d3dea47ddb5b56848edf35f0439ec68bf2767ea985d28b4834db0a
Size

541KB
Sample

241228-2np2fatrfr
MD5

12479e8c7411b92984a6571d16d6bbc4
SHA1

ce1fdfbaeeb4ebd41d19575753721c672405ecc6
SHA256

eedbbe2b45d3dea47ddb5b56848edf35f0439ec68bf2767ea985d28b4834db0a
SHA512

32b135f0c77b0d8495ff6b3ef7f9144548cb691a09380c0c822492f2c421ae22c6a00c65052d6bf09c6784dfe8c5ca8354accec3bcc29f46b578645d1070d02a
SSDEEP

12288:o1Tx3zp+a+ORpdoxSVJPupYUADERDWgxd/A6+PM/jH/DcaS5lYlCLS+a:o1BzpT+Ozds4JU1NEo46v/78PYTv

Score

10^/10

formbook dfc discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dfc

Decoy

photographytune.com

oleandrinbotanical.com

hibcapital.com

katgermosen.com

careerwomensgol.com

oliverezechi.net

hrbhrt.com

codeopulence.com

merrilllynchph.com

globallionsco.com

cutass.com

sarahalhashemi.com

izzyandi.com

snacklabbet.com

manufaktura-uyuta.online

powayvotes.net

helpspine.com

arlto.info

sofakingwet.com

cretanhandcarving.com

Targets

- Target
  
  8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00
- Size
  
  599KB
- MD5
  
  92592b4ed9b80ddab77d8e19d2ea120e
- SHA1
  
  aae8fdb85bbf71c66d6001be2302018f97ea3375
- SHA256
  
  8649b814fa724e40e4dae7cc2d9d727da957b760e7d28d3af04a7c1011311a00
- SHA512
  
  3e6a4ec71c2ce0d2989325f09db6c9189c8eca95af9ea1bb749436f79826afe5a12df2fe6aa2bc2cc6b02fe91fcb230b9cdb73ff0ac8ecff4c92e910bfcb3352
- SSDEEP
  
  12288:07Io/7u4UlyVVKhl3tpBuivKhwtfgfRFmFeytYY2j3ga0gvV:07T7cWm9pBqQfScFeUYY2jwa0
Score

10^/10

formbook dfc discovery rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookdfcdiscoveryratspywarestealertrojan

behavioral2

formbookdfcdiscoverypersistenceratspywarestealertrojan