formbook | 18db4581c44171ff15febaa0bc422c7b4a732500a346476dbebc5a8626033288 | Triage

Sharing

General

Target

JaffaCakes118_a47ac8579729c9196b042a9854d9c9fb
Size

518KB
Sample

250108-rrp6hatjfs
MD5

a47ac8579729c9196b042a9854d9c9fb
SHA1

0100d1ba06eebc095414b2187f8a7c630fd18c6a
SHA256

18db4581c44171ff15febaa0bc422c7b4a732500a346476dbebc5a8626033288
SHA512

e9f39e4731c20db7aed43b242c87976ff935c1a1d86fa06f77c4944679872c7ae43a4f65d1ca8f791832f4a40b51a544661f1c19b8b07ae72a748e351d941a12
SSDEEP

6144:9iTtxYG7vsO+LEfW3KSongYQytmWzLJ/QStdaMBjhCs5OPzaYmN:9iTAGbsOTO6SXctmMwACiOLbm

Score

10^/10

formbook ct6s discovery evasion execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ct6s

Decoy

liaquatsibtian.com

erisa.cymru

theultimateone.world

petpartner.info

edison-press.com

ryanmurazik.icu

bukasystems.com

kitsusimplex.com

qatarstyleart.com

brkhot.top

paehdfdtrujdfhs.xyz

createdbybonk.com

kuihoon.com

deathtocustomerservice.com

iotimb.com

greendiamond.pw

millionaireproducers.academy

websitemolsa.com

cbshomeimprovement.com

eardunder.quest

Targets

- Target
  
  JaffaCakes118_a47ac8579729c9196b042a9854d9c9fb
- Size
  
  518KB
- MD5
  
  a47ac8579729c9196b042a9854d9c9fb
- SHA1
  
  0100d1ba06eebc095414b2187f8a7c630fd18c6a
- SHA256
  
  18db4581c44171ff15febaa0bc422c7b4a732500a346476dbebc5a8626033288
- SHA512
  
  e9f39e4731c20db7aed43b242c87976ff935c1a1d86fa06f77c4944679872c7ae43a4f65d1ca8f791832f4a40b51a544661f1c19b8b07ae72a748e351d941a12
- SSDEEP
  
  6144:9iTtxYG7vsO+LEfW3KSongYQytmWzLJ/QStdaMBjhCs5OPzaYmN:9iTAGbsOTO6SXctmMwACiOLbm
Score

10^/10

formbook ct6s discovery evasion execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookct6sdiscoveryevasionexecutionratspywarestealertrojan

behavioral2

formbookct6sdiscoveryevasionexecutionratspywarestealertrojan