formbook

General

Target

Invoices_Unpaid.exe
Size

208KB
Sample

220125-tf1h7sadfq
MD5

3c2d3897a2430c9118089d03b6a82187
SHA1

d4733dfdf9eb33ae70df693bbb5b28d27f7469b9
SHA256

0e8050dfb18d0f64f5a92421b4de593e3605a89a71b8042c702d8233460689b1
SHA512

c32da23d60b649fd56e8713aad43e118d8951f5a5979a1ae3fc7f2075c22333373175e86ad08e79c7674ae6eff2b9167d0f36224aa7176d9610be2ce6bd21400

Score

10^/10

formbook guloader we downloader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

we

Decoy

airtimw.com

whichbutsmoke.xyz

produkkece.xyz

nato-riness.com

bowdencorp-au.com

sompuracorporations.com

jewishwarstories.com

pionieren.com

gearmoapp.com

nulineltd.com

transponders.xyz

vconferenceonline.xyz

everbloom.xyz

otu4d.xyz

rodgox.com

telephoneetherealcabbage.xyz

fidelitynvestments.com

matscentre.com

steroidsprofile.com

ifreemobile.com

Targets

- Target
  
  Invoices_Unpaid.exe
- Size
  
  208KB
- MD5
  
  3c2d3897a2430c9118089d03b6a82187
- SHA1
  
  d4733dfdf9eb33ae70df693bbb5b28d27f7469b9
- SHA256
  
  0e8050dfb18d0f64f5a92421b4de593e3605a89a71b8042c702d8233460689b1
- SHA512
  
  c32da23d60b649fd56e8713aad43e118d8951f5a5979a1ae3fc7f2075c22333373175e86ad08e79c7674ae6eff2b9167d0f36224aa7176d9610be2ce6bd21400
Score

10^/10

formbook guloader we downloader persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Executes dropped EXE
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Executes dropped EXE

Checks QEMU agent file

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2