formbook | 68ac6f0ad7bce72b24cd1ed92e0ddeace4268c51281bfe030c4b8c3f38af6ec7 | Triage

Submit
Reports

Overview

overview

Static

static

KRD2020000...DF.exe

windows7_x64

KRD2020000...DF.exe

windows10-2004_x64

Sharing

General

Target

68ac6f0ad7bce72b24cd1ed92e0ddeace4268c51281bfe030c4b8c3f38af6ec7
Size

484KB
Sample

220520-2yhp4sgbh8
MD5

50adff2b73c2d25ac4a3a40086f8cc18
SHA1

15d1c8954c852f8da67155aef5edd9a36a3b0799
SHA256

68ac6f0ad7bce72b24cd1ed92e0ddeace4268c51281bfe030c4b8c3f38af6ec7
SHA512

d48a841d735ede4bc3a3b2f41e104efe014ce21b3de468403af998f423e0e9c91b606ade8cd281e090daa1841ef5f5c48f2240b1aa9a1994241c2de8c1e47b9e

Score

10^/10

formbook hnh evasion persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

KRD2020000000002 PDF.exe

Resource

win7-20220414-en

formbook hnh evasion persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

KRD2020000000002 PDF.exe

Resource

win10v2004-20220414-en

formbook hnh evasion persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hnh

Decoy

stackingplans.info

landscapingcanberra.com

apxlegal.com

gzajs.com

senladvocaten.com

stephanieabella.com

indivmgtsvc.com

wildlife-botanicals.com

fingrfull.com

ustar-electric.com

timesharebefree.com

safefirstresponder.com

giliticketoperator.com

silverstarscents.com

4752condordrive.info

joomak.net

new-auto-news.com

ottodesign.store

kxg01.com

chrisoncreation.com

robielutsey.com

dhayaltechsystems.com

giftbizz.com

outpost-security.com

wwwjinsha937.com

pro-piedades.com

buffalocoresupply.com

netw.site

gooddayrental.com

qingyujian.com

atiasyariv.com

immaver.com

intervention4change.com

landlockedtraveler.com

onionfaucet.win

fairygroundsocks.com

adrianscharfetter.com

prolumen.biz

ibkmalakhit.net

rivertownehomeforsale.com

productsarehard.com

recoreltd.com

111972.info

wahzik.com

lackyshopping.com

xn--u8jxbl0m2g4a1h6q.com

ousxqh.men

bobingxiaochengxu.com

fullkiwi.com

dearwaltdisney.com

njduqiang.com

firesideeditions.com

cuagonhuaviettin.com

imaginethatideas.com

tian.agency

astrosolarfast.com

chosentechshopandreview.com

avatar99.com

lakazanono.com

news-chinatimes.com

www245234.com

hojespecial.com

x13q876dvq.com

tmtcaa.info

patlod.com

Targets

- Target
  
  KRD2020000000002 PDF.exe
- Size
  
  735KB
- MD5
  
  4e904adeaaeac677885bbe4c6be06a3a
- SHA1
  
  48fe1138bb8323fa29f5b9d7b8e02a97dc0c9afa
- SHA256
  
  d104548b154ac28142944b839993b9f0c8ad45d42a3e72d888aa8ba0e22562fd
- SHA512
  
  2803b5a5b4cab020a2a3bb1861601633ec8041a20946cd6f8fc57f5a936bf1f535ec3dc2a597c60f360ad4cc2a45f97b372be04351c9ac30ec9a053804e696ef
Score

10^/10

formbook hnh evasion persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookhnhevasionpersistenceratspywarestealersuricatatrojan

behavioral2

formbookhnhevasionpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy