formbook

General

Target

Untitled attachment 00075.exe
Size

938KB
Sample

211007-tctlgschbk
MD5

8cad21a8377f81f6647fac069ff6222d
SHA1

c06845f662d64492d4c4df1a6c506d20bebda40d
SHA256

a4bf92333fa0839d92c30859f87f08f91f988c35dd30227c2b4fe60e7188a4a2
SHA512

e6373bc79be0361d0fe60456a466f620d476e706770ebd15fc17ca3ee28b7b12d09eb70e3caf5ea3db8d4b778822e6830fc9ffe0c1d3e90fa6e01f4438c95a12

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

C2

http://www.kmresults.com/n7ak/

Decoy

modischoolcbse.com

theneverwinter.com

rszkjx-vps-hosting.website

fnihil.com

1pbet.com

nnowzscorrez.com

uaotgvjl.icu

starmapsqatar.com

ekisilani.com

extradeepsheets.com

jam-nins.com

buranly.com

orixentertainment.com

rawtech.energy

myol.guru

utex.club

jiapie.com

wowig.store

wweidlyyl.com

systaskautomation.com

Targets

- Target
  
  Untitled attachment 00075.exe
- Size
  
  938KB
- MD5
  
  8cad21a8377f81f6647fac069ff6222d
- SHA1
  
  c06845f662d64492d4c4df1a6c506d20bebda40d
- SHA256
  
  a4bf92333fa0839d92c30859f87f08f91f988c35dd30227c2b4fe60e7188a4a2
- SHA512
  
  e6373bc79be0361d0fe60456a466f620d476e706770ebd15fc17ca3ee28b7b12d09eb70e3caf5ea3db8d4b778822e6830fc9ffe0c1d3e90fa6e01f4438c95a12
Score

10^/10

formbook n7ak persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2