formbook | 0497ec7bb66f401d56abc2f7d3aec12a4ca977d9ef122513a0781119a949b248 | Triage

Submit
Reports

Overview

overview

Static

static

3

bb53429c93...18.exe

windows7-x64

bb53429c93...18.exe

windows10-2004-x64

Sharing

General

Target

bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118
Size

745KB
Sample

240618-lyds6asenp
MD5

bb53429c934474eb4ae15362b0b0fed9
SHA1

88339aea119d80c639e1e98483936a8ca92e7fce
SHA256

0497ec7bb66f401d56abc2f7d3aec12a4ca977d9ef122513a0781119a949b248
SHA512

5b24c177f0e252547475258d5caa5dfbf58d16d3de48224d00bca0b3edee9b5d505d33c24c58a0a86dc5832425b26431f9145967ca9ddf53a116cf7a9915cffa
SSDEEP

12288:uPq7y8gnl7DlLgY+/HY0nwNtA8utQyoHGaoe6Xk0eXhMMWTIMjdW3rYgbFT/c:cqO7LgYsVw3DlyGiQOVIM5W3kg5T/

Score

10^/10

formbook hx251 persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118.exe

Resource

win7-20240419-en

formbook hx251 persistence rat spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118.exe

Resource

win10v2004-20240508-en

formbook hx251 persistence rat spyware stealer trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

hx251

Decoy

cttexpresso707870.site

get-motivation.com

0473.ink

tooniker.com

mediacionelite.com

barterdeck.com

revergereview.com

dafaok66.com

nukonu51.win

hotelesnemocon.com

edijsbogomolovs.com

businesoint.com

bsxdq.com

emanuelhospice.com

marlyprojects.com

jsmw297.com

alexandra-wehner.com

detroitpropertymanagment.com

xhtd293.com

uuluav19.com

traveljasmine.com

clinicamagnolia.com

zhsqhs.com

kitzoinsights.com

blogcarinsurance.com

thomasbaauw.com

crazy-rabbit.com

virtudessarmientocoach.com

historymapped.com

vipka888.com

chat-masr.com

tripdeo.info

wwwjinsha441.com

zafsdyg.com

alplp.link

drjamesbarber.com

rbuglicensing.com

nimmerlandgaming.biz

thekmj.com

kwnsu.com

boxclickship.info

lade-chicken.com

062manbetx.com

koolasbaby.com

adminyhz.com

ywguksnunbpp.site

4683389.info

qhdmzg.com

js139yl.com

prontoeletrobr.com

decisionpointstrategies.net

ababel365.com

eastwestvet.net

gymnative.com

sljdcpd.com

poereeflight.com

lyzns.com

hoangphatnoithat.com

llygo.com

themodernfarmermpls.com

olkhx.info

17mobile.loan

moontheradio.com

zsgc.site

hemalipaterl.com

Targets

- Target
  
  bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118
- Size
  
  745KB
- MD5
  
  bb53429c934474eb4ae15362b0b0fed9
- SHA1
  
  88339aea119d80c639e1e98483936a8ca92e7fce
- SHA256
  
  0497ec7bb66f401d56abc2f7d3aec12a4ca977d9ef122513a0781119a949b248
- SHA512
  
  5b24c177f0e252547475258d5caa5dfbf58d16d3de48224d00bca0b3edee9b5d505d33c24c58a0a86dc5832425b26431f9145967ca9ddf53a116cf7a9915cffa
- SSDEEP
  
  12288:uPq7y8gnl7DlLgY+/HY0nwNtA8utQyoHGaoe6Xk0eXhMMWTIMjdW3rYgbFT/c:cqO7LgYsVw3DlyGiQOVIM5W3kg5T/
Score

10^/10

formbook hx251 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookhx251persistenceratspywarestealertrojan

behavioral2

formbookhx251persistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy