formbook

General

Target

f99fcaedc0640fba0f23d2e558a0e3404d9b4e8ff312919a4d7a6683d3b41726
Size

383KB
Sample

220520-rfzkssffb2
MD5

9ef057b1d44424d17662adc9bb7d0671
SHA1

017efd4ed69b0503c5067cde886893d0038af13a
SHA256

f99fcaedc0640fba0f23d2e558a0e3404d9b4e8ff312919a4d7a6683d3b41726
SHA512

9d97ebe3235809763a3151a91447928c4dbbfffeb7488954f1338e6c41e2d61f49f6411680af00536b90242e53172ef42301c1e31b335b6db66ab394225990fc

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Targets

- Target
  
  order.exe
- Size
  
  684KB
- MD5
  
  3b946d9c1c8d6586540fd217f44201dd
- SHA1
  
  63c11f8a26e69e5a0f1a19c2115eb8be8f57cb2a
- SHA256
  
  0a06767c6ec2249902ef118e04b2044b9784b544b81a7f5e253ae373fd706ceb
- SHA512
  
  30373763bef2d7eee0c8d8c901a82bb7eaf97bc7bd44c714e06e31fad03dd01b051c3913030b6587e68b960fdd31d4280285002ab53fb54df3806c8c54281184
Score

10^/10

formbook w9z persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds policy Run key to start application

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2