formbook | 5b1dae0459ba4acf846a07e0d68475758c8f49bbef43b1b13e243e5110a86e2a | Triage

Sharing

General

Target

JaffaCakes118_5b1dae0459ba4acf846a07e0d68475758c8f49bbef43b1b13e243e5110a86e2a
Size

683KB
Sample

241229-ambc4swmhw
MD5

e71b54bbd7d5a8405463c51c3b3b0ebc
SHA1

4632855562594a36f89e9a362ba0ba986427e801
SHA256

5b1dae0459ba4acf846a07e0d68475758c8f49bbef43b1b13e243e5110a86e2a
SHA512

4bfc8a67f3f8317163be871bed4d816ad93c04b789e610a7bf219dc3290e3b82c7da1dcb252ee8aa01c45038a9bcf1a449dd59eb81b184f456410ea7b04bd9ae
SSDEEP

12288:US0IvdVhWq3/SFpsR/Be7iVvCTNHKCvdkoqE8hmz3uAaTWgr:US0I7pPSFpsR/Y7gvC1vyoqdq3Lgr

Score

10^/10

formbook n7ak discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

Targets

- Target
  
  fslakj4w.exe
- Size
  
  973KB
- MD5
  
  f9c0d7cefb55c367f9dda0ba122fea52
- SHA1
  
  e809b5d8a8659033ebcb58a332b51ab306ad0537
- SHA256
  
  c193f7d1ed39688cfd7a5589e6c128c21515485b4a0de89dc7e2452f8f751d5f
- SHA512
  
  abf1fc4b4e862e6a6eff7b3f895dd26938946dd049d99d27c4cdd66cc22cc3d933bd2033e2f0d1ec1730cf49e7108285a67784254278dab7b25ad6924b25283f
- SSDEEP
  
  12288:FjC/7ZPvq1igKj7QA5Ke7+VvCTdHKCvJtoVE2hmzk5Cd30iE:FClPuOQA577cvCdvroVpqmm0
Score

10^/10

formbook n7ak discovery rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookn7akdiscoveryratspywarestealertrojan

behavioral2

formbookn7akdiscoverypersistenceratspywarestealertrojan