formbook | e7e6d1c7dda7f813373224350a84133f231850c14c3bf771cc9026a7c9ebf813 | Triage

Sharing

General

Target

JaffaCakes118_e7e6d1c7dda7f813373224350a84133f231850c14c3bf771cc9026a7c9ebf813
Size

676KB
Sample

241230-fqd63ayphl
MD5

4ead855fb48ba8e4178acc5d1754ff92
SHA1

f579fc0b2dd775a4f966a03f0316dcc18466017f
SHA256

e7e6d1c7dda7f813373224350a84133f231850c14c3bf771cc9026a7c9ebf813
SHA512

abedbfc93d8865c414e7d21060a280f3b078e9c8b17b9d15d827bda790a2774020907aa44561370d6ccd9fb94f269165ff827c571da8e4b58a5b99f7d2e0f5da
SSDEEP

12288:rVSXCx+aUCxBvtNe+qBrpXl+gm3RivAv6rjmcmt20uV4XDuGecDjqTwd:rVSXCx+uBnRqBtX47ipj/mf4SdBvqY

Score

10^/10

formbook cmd discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cmd

Decoy

marksmanrealestate.com

weeiter.com

dimody.com

tufftech.pro

romber.info

2theothercurb.com

maskibeauty.com

kreativedough.com

adanacatering.com

wordzninja.com

testxyy.xyz

lifeafterbobby.com

sunsageherbs.com

dentoncountyattorneys.media

18176732933.com

fjhgllnrz.icu

cryptobankcustody.com

theinternetproducer.com

motinik.com

getcatickets.com

Targets

- Target
  
  Purchase Order.bin
- Size
  
  1.2MB
- MD5
  
  4dd9b0d139a7c9618fa5344e6b1387f8
- SHA1
  
  53138f14140eb1c253e7985b8385e3853e5a5ac8
- SHA256
  
  73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
- SHA512
  
  754b31faed9881071816f2f6a1cd1ae71cae4c0b0590dc22e44211fc2c33d436e62e0b9ac28881284f1e176bdc8ec414db165776391dfa7ba238baa301465ed3
- SSDEEP
  
  24576:tdbfh8PGaONqv3Dp2E4xGREkcMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM+MMMMK:vyPGaOgNfREkcMMMMMMMMMMMMMMMMMM+
Score

10^/10

formbook cmd discovery evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookcmddiscoveryevasionratspywarestealertrojan

behavioral2

formbookcmddiscoveryevasionratspywarestealertrojan