formbook | 43498d0fd9a7413bb86490ef4e44529779e18c3cf9f78c5b1f2b53d29cf606af | Triage

Sharing

General

Target

JaffaCakes118_43498d0fd9a7413bb86490ef4e44529779e18c3cf9f78c5b1f2b53d29cf606af
Size

895KB
Sample

241229-kj6d7axnfz
MD5

4359d1f1562c5746d59d37fbad2c001a
SHA1

b836fec95bf6c239efc6285aa3160bef799c3f85
SHA256

43498d0fd9a7413bb86490ef4e44529779e18c3cf9f78c5b1f2b53d29cf606af
SHA512

69a044530ad4d7e4261f1fd0095eef7bde84c1cbfc20f3b9f01ca2f792d71c790d9466d7b48205c4648ff3689249e1758deee4f09f97240f09a8341ab34ba46c
SSDEEP

24576:G12XSwvAgWY6W20zI1eFNktLX36fmBCZdfwz0e:aMvAgWY6DeFNmX3yf29

Score

10^/10

formbook ch24 discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ch24

Decoy

tmicp.com

lauriceiker.quest

neighbor-works.com

santiemprenderich.wiki

thecraftytxdogmom.com

abramolfactory.com

prettylittlesoles.com

thistimeandilove.space

imperialshaving.com

aflorideallgarden.com

thbfjs.com

marketmove.info

echocoins.com

ztkzw.com

sandyhookfishandribhouse.com

gamesxfr.com

frontline500.com

cbburrnet.com

boliviaoferta.com

jdzmklc.com

Targets

- Target
  
  doc06520720220131121555,pdf.exe
- Size
  
  1.1MB
- MD5
  
  b274a8db1f2759a5633feda3ebb76e99
- SHA1
  
  bb145758eee0923a3b5fef02c300fe631855bbb6
- SHA256
  
  cbf712334783e060e67ba77d675a7402efa44b879aeed5b56fdbe9f2b01ee99c
- SHA512
  
  8b070b4686d60f7cb26e77451975bc1cade564def98b92077db90b6202a2439857e9df95fadf39064e717acad6fb64dc0065b1f0e4ea9d126f223fb7ac0b3471
- SSDEEP
  
  24576:eYhos91WO8ZCh9/9D/bLWLcygotSl2G6PrOTg0cm+pS8Yx:7hos91N7h9/9bbLWrdSl2G6PrOTg0cmh
Score

10^/10

formbook ch24 discovery evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookch24discoveryevasionratspywarestealertrojan

behavioral2

formbookch24discoveryevasionratspywarestealertrojan