formbook | e58c9f4df9489046914307a021fc4a4069b00cba9e95092748b05ddf75fc1408 | Triage

Submit
Reports

Overview

overview

Static

static

sartname.exe

windows7_x64

sartname.exe

windows10-2004_x64

Sharing

General

Target

e58c9f4df9489046914307a021fc4a4069b00cba9e95092748b05ddf75fc1408
Size

385KB
Sample

220520-ry9hqagfh9
MD5

b72483f25e1f3f89bc98fbd15556ecc8
SHA1

a4c395dcb310ddaf7e1c6397dc91e56e8f66323f
SHA256

e58c9f4df9489046914307a021fc4a4069b00cba9e95092748b05ddf75fc1408
SHA512

03f8fee3d5d0454bbf207294e2d2f258958ae264279c30eeb76be70b02fd8187bfbfc281e126968267cdc05e578677ac293b0e868a0ba9568214e6ff3ee49373

Score

10^/10

formbook modiloader n7ak persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

sartname.exe

Resource

win7-20220414-en

formbook n7ak persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

sartname.exe

Resource

win10v2004-20220414-en

formbook n7ak persistence rat spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

bazarmoney.net

librosdecienciaficcion.com

shopmomsthebomb.com

vanjacob.com

tgyaa.com

theporncollective.net

hydrabadproperties.com

brindesecologicos.com

sayagayrimenkul.net

4btoken.com

shycedu.com

overall789.top

maison-pierre-bayle.com

elitemediamasters.com

sharmasfabrics.com

hoshamp.com

myultimateleadgenerator.com

office4u.info

thaimart1.com

ultimatewindowusa.com

twoblazesartworks.com

airteloffer.com

shoupaizhao.com

741dakotadr.info

books4arab.net

artedelcioccolato.biz

tjqcu.info

teccoop.net

maturebridesdressguide.com

excelcapfunding.com

bitcoinak.com

profileorderflow.com

unbelievabowboutique.com

midlandshomesolutionsltd.com

healthywithhook.com

stirlingpiper.com

manfast.online

arikorin.com

texastrustedinsurance.com

moodandmystery.com

yh77808.com

s-immotanger.com

runzexd.com

meteoannecy.net

joomlas123.info

Targets

- Target
  
  sartname.exe
- Size
  
  1.2MB
- MD5
  
  c1f3c9e997f8bb5f646d3159cc034f63
- SHA1
  
  2d33cd7d13efb4c1b91ac70eb71ece327a80583c
- SHA256
  
  784e7f732ce32eec8f01959777f45b1393c6528da49bc92cd2da41890f7798f6
- SHA512
  
  73577f0b431277771a1a4a2ae6a9f1bfbe557178488e934712f37a2582def76a9efdcaf6a8bb307668e0c8adce74d6ea76e3d89ad126cd64f543a0ee35f16aa3
Score

10^/10

formbook n7ak persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

formbookn7akpersistenceratspywarestealersuricatatrojan

behavioral2

formbookn7akpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy