formbook | a9b0dca2f97a588928c46ce6a186ad9470c1f93637858180069e6ed02c93c8e7 | Triage

Sharing

General

Target

NewXorderXlistXisXXXattached.zip
Size

586KB
Sample

220321-zt7gkadgc8
MD5

1b68a6cd6e48955b54ceda22e51c1770
SHA1

1dc85f95f4618370532ac5e80e54cc4e2f1ea674
SHA256

a9b0dca2f97a588928c46ce6a186ad9470c1f93637858180069e6ed02c93c8e7
SHA512

19b1ef5f3824d27e5cc00ca8bd62c7698dff9e36bb6a5458ca893d435c474effcedc92c72c799d01b4455ccca51f9d0fce5c9d0ae5daa3d6e56d85f2e2a87a74

Score

10^/10

formbook 3nop persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

videohm.com

panache-rose.com

alnooncars-kw.com

trueblue2u.com

brussels-cafe.com

ip2c.net

influenzerr.com

rbcoq.com

zzful.com

drainthe.com

sumaholesson.com

cursosaprovados.com

genotecinc.com

dbrulhart.com

theapiarystudios.com

kensyu-kan.com

dkku88.com

tikhyper.com

aztecnort.com

homebrim.com

Targets

- Target
  
  New order list is attached.exe
- Size
  
  1.0MB
- MD5
  
  f827aab7bbb871e026de55c9884c7986
- SHA1
  
  dc4c11b36add611aee52a751e1f2aad8246da3d5
- SHA256
  
  4ed75b8466a537951e39fcf6a8a024701d41c6ff3be98153dcc81dbff6a75756
- SHA512
  
  54fcc300037d6bb87b283d6073127dd2f1e07ce389c2cf2d97635507be1f05eb4d7dc6348e11d886aa9f3339b93ff58c2d62e3d97dd9bcc13f60eef7d8efa6e5
Score

10^/10

persistence formbook 3nop rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook Payload
  rat
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

formbook3noppersistenceratspywarestealertrojan