formbook | bc5808e90a1540e8f2523f7f0e072d7d91d527e68cd50e4caaa98cbbe1988819 | Triage

Submit
Reports

Overview

overview

Static

static

shipping d...BL.exe

windows7_x64

shipping d...BL.exe

windows10-2004_x64

Sharing

General

Target

bc5808e90a1540e8f2523f7f0e072d7d91d527e68cd50e4caaa98cbbe1988819
Size

377KB
Sample

220520-3w9lgshfe3
MD5

d921a212c9cd066df391374b26304466
SHA1

71927f4e9a855bbe179737a9a050d4233240ce7f
SHA256

bc5808e90a1540e8f2523f7f0e072d7d91d527e68cd50e4caaa98cbbe1988819
SHA512

da5ec4802e9f500a4bc7f019ed1f28cbed51c07be2fe52523ab7b2725c51cdc828ccddaba3a752039bc94342d1efa11bf96c159a59b089e2d4ac4bf8bb0d9cc1

Score

10^/10

formbook otn persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

shipping documents, INV+BL.exe

Resource

win7-20220414-en

formbook otn persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

shipping documents, INV+BL.exe

Resource

win10v2004-20220414-en

formbook otn persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

otn

Decoy

thewoodwideweb.net

broadconnectionpm.com

tuzlametro.net

vjpqdk.info

vietnamtimetravel.com

notice-close-n217.online

verif22-mail999-pymts76.com

bestgreenhouseplan.com

brangain.top

cukaapelbragg.com

stileincucina.com

veloflambe.com

virtualsupportservicesllc.com

smpl.site

mezo.ltd

incidenciasarty.com

everglamp.com

theflowerfarmplanner.com

oasis-base.net

jnrhsh.com

hostux.info

aptivauto.com

xedinl.info

newfiveflags.com

ottleyco.com

my-debtrelief.com

frantac.com

new-auto-news.com

castironcravings.com

cplusc.studio

firsteditionbooks.net

atraedinero.com

fooddeza.com

mariancolmanart.com

ats-ortho.com

kabolobari.com

otcvollar.com

dliti.com

jidanyun.com

realestatewithdawn.com

idecorados.com

czgy1991.com

moneysavingmissy.com

oderviettrung.com

szzolon.com

candycrushsaga.cloud

jmsortho.com

carebookkeeping.com

milesdavidlee.com

generallasers.com

informaticahostednp.com

paintmywedding.net

opusdentalonline-beta.com

rickramgattie.com

nbgkl.com

pjhsea.info

accuratevinylinc.com

dissedin.com

findmyticket.info

greekobsession.com

trendlong.com

tumarcaesladiferencia.com

noragamst.com

shapupu.com

regulars7.info

Targets

- Target
  
  shipping documents, INV+BL.exe
- Size
  
  430KB
- MD5
  
  528803eb79a155fc433c390a194ae344
- SHA1
  
  3e85abf112dbe5d5cb3b36f82cb5e5aba4f54757
- SHA256
  
  5e1663a897c64460d68fdf6848b63f589680e75f4d935258a7862b9d1ff617b1
- SHA512
  
  b3a29219e6287103d6443ef39891d29b9f95cb72c6b39537c576d7f47fcb53a910fc6d9524a8f90fe26fc42674dedf59b3d39859f0636ed578f16f4fc5a3140d
Score

10^/10

formbook otn persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookotnpersistenceratspywarestealersuricatatrojan

behavioral2

formbookotnpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy