formbook | eed0f8c78ea3e75f8716e6a45b936c3949108cd7920d657c63824bc9a6bf9c37 | Triage

Sharing

General

Target

JaffaCakes118_eed0f8c78ea3e75f8716e6a45b936c3949108cd7920d657c63824bc9a6bf9c37
Size

356KB
Sample

241230-22ywhawjht
MD5

b810c4ea6820bd93094cc0a5b5bec123
SHA1

6e009861acf95c8973b8371054442c8fad63f685
SHA256

eed0f8c78ea3e75f8716e6a45b936c3949108cd7920d657c63824bc9a6bf9c37
SHA512

efea171b01f77f2894beec5d72cd91a4f7334f51c4e3089901db9f116a78e82b04fd040709d936f05314645abfd64a7ebbe821947ee79d39c2712ac430783108
SSDEEP

6144:iLwSfGXRR74c7ZxEYQvmKd5g+TVG5XPLBXCCSonu8vY3YF93yvOwx0CoS1pTpd/E:iLnu74cnmmKFJG5fLB0vYF93vwVX1HVc

Score

10^/10

formbook wt6 discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wt6

Decoy

mdjbjsc.com

twosparrowslsbusiness.com

captipe.info

spirtofafrica.com

teacher4today.com

d9masks.com

americanveteransparks.com

originvinylvermont.com

lifeguardboat.net

neynunescuritiba.com

4activelife.xyz

tiniytie.com

schirmenworld.com

nogbeter.com

bikerm.com

higherpurposeproject.com

melloband.com

cremgrs.com

chengyuanwai.com

multiplewealthsecrets.com

Targets

- Target
  
  0rderD4ER18jd.bin
- Size
  
  444KB
- MD5
  
  3e7db94077f8a289fe1676cd4bbc09ef
- SHA1
  
  dad79b2bdeea126658c5fcb0f42850589d6ce92d
- SHA256
  
  bd4d161a4d284fe71f101a6a68a3159a3cee958e42d53d1f140aeb1db52933f8
- SHA512
  
  c8e26baed0c72db6c2a8b2903fa9469b3e803ef0f4f58996f841a73f75705be79ee67ea2b4cc14ea4de528a67a32017880fb6647b64261b2fd301711806bbde6
- SSDEEP
  
  6144:AI3i64S3XFpZTY1piDh8pbDQRDRjEzEqUXHhkmTC0wNONnOQTAjyKz7dFHm3l/J6:Z3fs7DuljpqIhkiiNvQ0BTmbA1
Score

10^/10

formbook wt6 discovery evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Windows security modification
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookwt6discoveryevasionratspywarestealertrojan

behavioral2

formbookwt6discoveryevasionratspywarestealertrojan