formbook | d31d5e893804a4ebb6e025ae41d2f83702eb636f8ebdac1094ee946b8e1f711a | Triage

Sharing

General

Target

JaffaCakes118_d31d5e893804a4ebb6e025ae41d2f83702eb636f8ebdac1094ee946b8e1f711a
Size

468KB
Sample

241230-zqb69a1lg1
MD5

719f1831ddbd2d1ef17287ae419a98a3
SHA1

6d3cf47c794cb44b05bb89fb81e6ed30b0afd056
SHA256

d31d5e893804a4ebb6e025ae41d2f83702eb636f8ebdac1094ee946b8e1f711a
SHA512

6863930ac8d26b034797de0ca5f0ddc99b3d64b80b315761a3600a4df106740908eb407127856599900d65b0cf4c99ca2dc3e702c40bb6b24f29ee823a304ca5
SSDEEP

12288:rrisJ8l5y8a2MSK+VfXYDCl7k+aiKL5e5p02NqDiSPJD/Ipe:HisJ6yKm6wDCl7k+aDdipKpIg

Score

10^/10

formbook moc discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

moc

Decoy

filmecloud.com

xn--4y2bx6nu6b91cbwr.net

dekreatif.com

salesnksportswe.top

shsjazzy.com

pezoutlaw.com

himayauae.net

deonlimua.com

tepeyacmexicancafe.com

kondrdr.icu

yogawitheylem.com

venomancillary.com

jmcolegate.com

supernintendoxo.com

birdsbeesbatsandbutterflys.com

prontoinfissi.net

sellslikeschmidt.com

michaelforshort.com

eleventh-commandment.com

fixitdoc.info

Targets

- Target
  
  Payment for New Order.bin
- Size
  
  561KB
- MD5
  
  70cb834f18f6de7e4db435908a55fd5d
- SHA1
  
  6bb3eddc64b5960be38d7c285dbaf77d3afd65f3
- SHA256
  
  b942a8a8c29b7e6245285fb893a10994f97af37b33eef8579820376016ee021d
- SHA512
  
  6e459251840bcd1a130e0f9fe5a45b2b1378d093ae303dd5a20e158a621848dff0469923a1892d24b38a5958b2753541686aa1b78f74076cf7722eb01747b57b
- SSDEEP
  
  12288:ZiYoG8ydzKwiet0+P59l33Na9rKC8fY8Bbo/:ZVX8y7Nj5bU9rKFf5B2
Score

10^/10

formbook moc discovery rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookmocdiscoveryratspywarestealertrojan

behavioral2

formbookmocdiscoverypersistenceratspywarestealertrojan