formbook | 87f8354a4aa0548f3bfceba73dc020e8160ad89f1c8b5e41d53f7457c8ba8b93 | Triage

Sharing

General

Target

JaffaCakes118_87f8354a4aa0548f3bfceba73dc020e8160ad89f1c8b5e41d53f7457c8ba8b93
Size

359KB
Sample

241230-3msavaxjfy
MD5

51317f8895f383675f74597fbb17c8d4
SHA1

e90eed2bb150680f5ecea58c3f9cc09cdf295ce2
SHA256

87f8354a4aa0548f3bfceba73dc020e8160ad89f1c8b5e41d53f7457c8ba8b93
SHA512

cd5b23034d223cbb68fc7440c5ecdf9dc7506e7eb301b68a0a2251a088304b87f1360bd08002c33f04e7dc6cc1930e87b9052b3b31f369a415f5a6d28702e234
SSDEEP

6144:VE6nbe9BVtxfeMbTXYEcJ00PV5C9fu3DUuY5FrTQQDmnK0WlxzhV1ZAWA1:m6kVtV33IEc00PP3XY/QQIK0WldhBA31

Score

10^/10

formbook wt6 discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wt6

Decoy

mdjbjsc.com

twosparrowslsbusiness.com

captipe.info

spirtofafrica.com

teacher4today.com

d9masks.com

americanveteransparks.com

originvinylvermont.com

lifeguardboat.net

neynunescuritiba.com

4activelife.xyz

tiniytie.com

schirmenworld.com

nogbeter.com

bikerm.com

higherpurposeproject.com

melloband.com

cremgrs.com

chengyuanwai.com

multiplewealthsecrets.com

Targets

- Target
  
  0CT2020PI.exe
- Size
  
  449KB
- MD5
  
  0323276cec08509c8e789d02a72e91f6
- SHA1
  
  42e777f48b451e11bdc6a94966402318c30e1e18
- SHA256
  
  42e9c8cb3f59920b9ba876d6ada4d7a23c4feea3bfd5d93e6758da2ab1d470c5
- SHA512
  
  6e2d59de9016ef9e37ae76d1d94091c95a0b523c113d3b346b523ec788b4d0c596130c4ba76cab1729e50302cb25845d47be7d76b033c39b1b88f5bda3f25b0d
- SSDEEP
  
  6144:SqoZ0sHMGbBUkuetgzBgj8XG4p4Ir8ZOCfdaDe2ji7qK1GPxL1+zfZCpPnpmwuFs:SqoOT94IrQ5dFWif1GpL4UaSZNL
Score

10^/10

formbook wt6 discovery evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Windows security modification
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookwt6discoveryevasionratspywarestealertrojan

behavioral2

formbookwt6discoveryevasionratspywarestealertrojan