formbook | 68527014856bd500a522a073f6aa516a0afa39ceca0753eca03db7fbdfb8153b | Triage

Submit
Reports

Overview

overview

Static

static

5

Mensaje SWIFT.exe

windows7_x64

8

Mensaje SWIFT.exe

windows10-2004_x64

Sharing

General

Target

68527014856bd500a522a073f6aa516a0afa39ceca0753eca03db7fbdfb8153b
Size

1.1MB
Sample

220508-xq9reaafer
MD5

f7bcec35aa9f94f7f4ed41a8455861e4
SHA1

ac291564d2148ae73cab663ced37a915b4eef2a3
SHA256

68527014856bd500a522a073f6aa516a0afa39ceca0753eca03db7fbdfb8153b
SHA512

1ef214c6bb3606bb9b1e46c4908d7b7bf3e52a18f564bb7b9eab4133a0e6d22fba4758540410b9adb171795c85b56fc7774efb9007e5c73cd3ea9260150ff9b1

Score

10^/10

formbook n7ak persistence rat spyware stealer suricata trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

Mensaje SWIFT.exe

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Mensaje SWIFT.exe

Resource

win10v2004-20220414-en

formbook n7ak persistence rat spyware stealer suricata trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

bazarmoney.net

librosdecienciaficcion.com

shopmomsthebomb.com

vanjacob.com

tgyaa.com

theporncollective.net

hydrabadproperties.com

brindesecologicos.com

sayagayrimenkul.net

4btoken.com

shycedu.com

overall789.top

maison-pierre-bayle.com

elitemediamasters.com

sharmasfabrics.com

hoshamp.com

myultimateleadgenerator.com

office4u.info

thaimart1.com

ultimatewindowusa.com

twoblazesartworks.com

airteloffer.com

shoupaizhao.com

741dakotadr.info

books4arab.net

artedelcioccolato.biz

tjqcu.info

teccoop.net

maturebridesdressguide.com

excelcapfunding.com

bitcoinak.com

profileorderflow.com

unbelievabowboutique.com

midlandshomesolutionsltd.com

healthywithhook.com

stirlingpiper.com

manfast.online

arikorin.com

texastrustedinsurance.com

moodandmystery.com

yh77808.com

s-immotanger.com

runzexd.com

meteoannecy.net

joomlas123.info

Targets

- Target
  
  Mensaje SWIFT.exe
- Size
  
  1.6MB
- MD5
  
  e33828622c9d953e1e5ad7a3b16d2b77
- SHA1
  
  c15e6c76cc4448a4f27ade1a70c4aaf2486503e6
- SHA256
  
  2f05200e09f38d2197fb48d265bcd4d050131f688ce51cf86478192df100d675
- SHA512
  
  903e518f4b481c13a10eef062a0499c72ff810dd1a3f0dad620cb5fa4b5b6cb244db999d09f7813e020b4fb24c54522f067903c60829d0f7f6c3a1c7a492d86f
Score

10^/10

upx formbook n7ak persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

formbookn7akpersistenceratspywarestealersuricatatrojanupx

© 2018-2024

Terms | Privacy