formbook | 93fc98148dbcc6f16b8f6ca1d8bd6bc68eafb2b4b68e697135561f5845cf82b8 | Triage

Sharing

General

Target

93fc98148dbcc6f16b8f6ca1d8bd6bc68eafb2b4b68e697135561f5845cf82b8
Size

656KB
Sample

220227-d6bd1adaem
MD5

68378be4104c3c2755528a8b220bed75
SHA1

73669194e71efa0b222ffd27625783ea25382712
SHA256

93fc98148dbcc6f16b8f6ca1d8bd6bc68eafb2b4b68e697135561f5845cf82b8
SHA512

1e1d08152bfd2f71b5aeeae8b506af8003f413bf79611a43467a7a1ff08c7aa664444f4166c00fb2b27be0a1cfb8311ebfce82988aa0f69d9ab77e15be10f0a9

Score

10^/10

formbook 3nop persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Targets

- Target
  
  93fc98148dbcc6f16b8f6ca1d8bd6bc68eafb2b4b68e697135561f5845cf82b8
- Size
  
  656KB
- MD5
  
  68378be4104c3c2755528a8b220bed75
- SHA1
  
  73669194e71efa0b222ffd27625783ea25382712
- SHA256
  
  93fc98148dbcc6f16b8f6ca1d8bd6bc68eafb2b4b68e697135561f5845cf82b8
- SHA512
  
  1e1d08152bfd2f71b5aeeae8b506af8003f413bf79611a43467a7a1ff08c7aa664444f4166c00fb2b27be0a1cfb8311ebfce82988aa0f69d9ab77e15be10f0a9
Score

10^/10

formbook 3nop persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

formbook3noppersistenceratspywarestealersuricatatrojan

behavioral2

formbook3noppersistenceratspywarestealersuricatatrojan