formbook

General

Target

BOM Contracting and General Supplies.js
Size

22KB
Sample

211011-hn8zrsgegn
MD5

81a0010758bb3da2796a7506bfd4aab3
SHA1

ffc61c27e1a58878878e7b2b44c97ec23c0e09d2
SHA256

3f82447c548d6d623ddc3f9965363df07f52cdf8eda955c55332196ee409e4c6
SHA512

9521ed85e7a83eb890f706add3da9c29d29bd5c5b4a535541df9eb4072f4944fff34643289955ddf37be16f3cf815a8f77392cc656c0bb85506211ec28680779

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k9d0

C2

http://www.dotgroup-email.com/k9d0/

Decoy

flourishpodcast.xyz

xn--nga.group

music-tomato.com

motory.store

arrivehike.info

xn--diseowebseo-4db.com

centpourcentsons.com

qnnjja005.xyz

annielynnrose.com

darlaevans.com

door-maximum.com

chinataibaifen.com

stickerhicks.com

ta2gamesstudio.com

jendelanews.com

milestoneneuro.com

premierconciergehomes.com

exitcounter.com

jrsway.com

famurainmobiliaria.com

Targets

- Target
  
  BOM Contracting and General Supplies.js
- Size
  
  22KB
- MD5
  
  81a0010758bb3da2796a7506bfd4aab3
- SHA1
  
  ffc61c27e1a58878878e7b2b44c97ec23c0e09d2
- SHA256
  
  3f82447c548d6d623ddc3f9965363df07f52cdf8eda955c55332196ee409e4c6
- SHA512
  
  9521ed85e7a83eb890f706add3da9c29d29bd5c5b4a535541df9eb4072f4944fff34643289955ddf37be16f3cf815a8f77392cc656c0bb85506211ec28680779
Score

10^/10

formbook vjw0rm k9d0 agilenet persistence rat spyware stealer suricata trojan worm
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Modifies WinLogon for persistence
  persistence
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Formbook Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2