formbook

General

Target

a0f21c163f92a84d2a55773d01eabc39_JaffaCakes118
Size

468KB
Sample

240612-rgz8qaxgng
MD5

a0f21c163f92a84d2a55773d01eabc39
SHA1

95b6737ca93693936dc9ceaeb127fa8c3379725d
SHA256

6ccef67b5090cabcd11f1836fcb0a619c065bf0ee531f7e9747794cfe5852e5f
SHA512

ac3d83f5aefb73266866c42a6c206608a8d4561f6d08c3b1c5f9d8e005de3047983586f9bc87848cf256100d36c8a5d31729f06e531b2993f2ba78a4543b8cd2
SSDEEP

12288:xVm/ZGUeXvXWeQcwhgmCoJy6L6XksNldI+sAXyLALcA7E3Wfz:x0/ZGUMvXWenfasz5y0J80z

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

c191

Decoy

yegua.rocks

retouraffectifrapide.com

mediacionelite.com

carrosseriemartins.com

filminglombokindonesia.com

rwpygl.info

wkwlkj.com

yjeoevqdaf.info

margaretaphotographs.com

damaskfabricandtextiles.com

woofgang.life

goodhabitsapp.com

kunweishidai.com

kuaizhilian.com

parkaraya.com

globallogic-us.com

charlottephotoboothrental.com

pouchbagsupplier.com

njlgmq.com

nazreenakhtar.com

Targets

- Target
  
  a0f21c163f92a84d2a55773d01eabc39_JaffaCakes118
- Size
  
  468KB
- MD5
  
  a0f21c163f92a84d2a55773d01eabc39
- SHA1
  
  95b6737ca93693936dc9ceaeb127fa8c3379725d
- SHA256
  
  6ccef67b5090cabcd11f1836fcb0a619c065bf0ee531f7e9747794cfe5852e5f
- SHA512
  
  ac3d83f5aefb73266866c42a6c206608a8d4561f6d08c3b1c5f9d8e005de3047983586f9bc87848cf256100d36c8a5d31729f06e531b2993f2ba78a4543b8cd2
- SSDEEP
  
  12288:xVm/ZGUeXvXWeQcwhgmCoJy6L6XksNldI+sAXyLALcA7E3Wfz:x0/ZGUMvXWenfasz5y0J80z
Score

10^/10

formbook c191 discovery rat spyware stealer trojan persistence
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  0d7ad4f45dc6f5aa87f606d0331c6901
- SHA1
  
  48df0911f0484cbe2a8cdd5362140b63c41ee457
- SHA256
  
  3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
- SHA512
  
  c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
- SSDEEP
  
  192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score

3^/10
behavioral3 behavioral4
- Target
  
  $TEMP/aname/tbl/frontpage/gsmart300.so
- Size
  
  15KB
- MD5
  
  924a4464fdee1a83e677eff2a5e7c001
- SHA1
  
  acead2b849c35b65cd1112d1f3cdec0a183e6339
- SHA256
  
  046f7908e83cb099bfb72b261aed9e2c7f9e58df9d9d879bb4996840687975d0
- SHA512
  
  541b3f923966bfe32e397c183e1efeee6d7e740450a097ce7704b75228ec5ec78bb79f4722d5958db74640baebdeb023b9789d21ab87c1f512bd05e19aae3581
- SSDEEP
  
  192:RL82kikUFU0KEOSVPjmVFu9y7LMXI1lSJQ+EKah16ZQDkZPqAi:SG60KkpjEQXI1lSJnve6/ZPq
Score

1^/10
behavioral5
- Target
  
  $TEMP/aname/tbl/frontpage/vshost.exe
- Size
  
  5KB
- MD5
  
  d9086aab959707dd1a8643f3df70db9d
- SHA1
  
  31e855c2fbd8f69b0cc149696e3fd9ca887a30c4
- SHA256
  
  07470371b6c705a49965ae5d98e26450b9fef50e4ba4851de91e29e9721ab197
- SHA512
  
  7ce65c130e3e13683a0265fb5171d2a869f0c5059ee1e38728736963c832af4cebfe9b2384b7e12beac21f0414c54ed021d331d4f51ebb1ed5f34d6e709eca57
- SSDEEP
  
  48:6PYfPQwY7B/6U7ghNb6REKUh7U2+Ivpo/fD3K/zDbdstXe8ZWfZEpK5zhGB5WguN:BPBYHguj2xvpafD3KrDbdsfWO0VmWgO
Score

1^/10
behavioral6 behavioral7
- Target
  
  $TEMP/cscompmgd.dll
- Size
  
  13KB
- MD5
  
  c4f5ae503322ec21e140a92a476d8683
- SHA1
  
  d715afbf7d9c83a8e8bbd9a92ac6ba37415e2543
- SHA256
  
  55c6fd6b6ab5c20c16c5c5f7cede98ad9b651ffb9ea723454ff1dc378eef38c0
- SHA512
  
  2d7cebc1ff721313fcc370f36670217ef9cf92128038fd4f6baea83fc7b7d7ec68c14cdc65bface3be9c731e1ad01933d0eab65b51f7f1c505052d9be1946539
- SSDEEP
  
  384:FQDdugO8hw0NlN97yryazaoP5zzODSQWcoW:FQDdugHm0zyryM5zsSO
Score

1^/10
behavioral8 behavioral9
- Target
  
  $TEMP/emirates.dll
- Size
  
  56KB
- MD5
  
  f76fdd7616a7b7f5c3bd89c576ecd20d
- SHA1
  
  4da0c0be8d2d68588da164fa1be0f24fe2bd69ce
- SHA256
  
  789baa0065751029d5271e39a52e4159a56baa990908747571725bbc4d648c86
- SHA512
  
  f8840290aee14ff6067df3de80bb505dbe21694a57e2c51840fddd983d537044015b4550bcf9983abee9cab02f59d48cfec4d28e7432f2d037ec961e2dc7b70a
- SSDEEP
  
  1536:Y7EmXoerfANp0sii1REvCBCuY45IkfkTLL:WLLA0staE5kTLL
Score

1^/10
behavioral10 behavioral11
- Target
  
  $TEMP/subscription/coords/side/link/50.opends60.dll
- Size
  
  53B
- MD5
  
  fef6ff21091dd47c0613d0d3877e5bc9
- SHA1
  
  da1674ed58ffcbb339c48c52bfdee85c27f2f4b9
- SHA256
  
  340892ce705602d6c93c888dccd941a3ea9195f78d56d92952bae9c9d0476a53
- SHA512
  
  d19fd56aadc1c95971c2373d8e47cfefe741066caf37cb326cbd65304dfc5f698a0381e1b882a8e53ca894b0f0908218bd1a8705ae33971aadc0e258ce14cff8
Score

1^/10
behavioral12 behavioral13
- Target
  
  $TEMP/subscription/coords/side/link/MicrosoftVsa.dll
- Size
  
  32KB
- MD5
  
  6e930243a0e7dcaef6206b6278564457
- SHA1
  
  3e6322d359c1f9da5a879beb87109ae041da70c1
- SHA256
  
  c32b888dd5b400bc2cf3d5c31616502704824031009839e0df4f01522fcf3789
- SHA512
  
  d0403da71cc1b2783968e92488a221fc7410d73e210b66aec6f8b9900f6c668d372b6231afd958e3ab04270328a25d35ca3170a2be1bb70abeb509a158ea73b8
- SSDEEP
  
  384:g5n3CSEt456XEKA2WNUH9c8040MzRQ7zANCHzx2k+RpSVh0+4gef8uHj3WK3JW:g53CSb57PNU9c80MlQ3RV2k2pSVh0l
Score

1^/10
behavioral14 behavioral15
- Target
  
  $TEMP/subscription/coords/side/link/XDCMake.exe
- Size
  
  36KB
- MD5
  
  d7e27f350591f1da033009f37d3473d7
- SHA1
  
  a30cf7f9b3c512e4096f540adeca6c11613dd56f
- SHA256
  
  027f769de7dee300e107c46e26e7cf906ccbdba3f266b5e55ee964116a08782f
- SHA512
  
  4d517f08819244fb7c784901db314e640f89f0726694e5356b1806ff4a32bb030159bc795f0081d67fba17570369b83622121f2370073cd6f42f785e6d557900
- SSDEEP
  
  768:Z3vmOjm8LGglFJzrTZfwIO0l6DdseYeejL3d/o+Zm:BvFjLLG6nZO08DujR/o4m
Score

1^/10
behavioral16 behavioral17

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17