formbook | 3794a970aaf5b516a68ee78ca115981e289fb0af575d53c02efd860ef9a40d2a | Triage

Submit
Reports

Overview

overview

Static

static

comand? nou?.exe

windows7_x64

comand? nou?.exe

windows10-2004_x64

Sharing

General

Target

3794a970aaf5b516a68ee78ca115981e289fb0af575d53c02efd860ef9a40d2a
Size

347KB
Sample

220521-a1fjzseagq
MD5

e3ad0c63ef186d3f865df7f93a81b125
SHA1

a7a09846d201736decb5db298821beb25f7acf56
SHA256

3794a970aaf5b516a68ee78ca115981e289fb0af575d53c02efd860ef9a40d2a
SHA512

92a2509dd3a3dfeb59c621c233cf522ee6c243eac91271e5184dd8f96ca591e03522aab3a7f2d6c8479f6c4cc4a338fcc9e618a06439be1ae155fe39e74c9736

Score

10^/10

formbook xczm evasion persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

comand? nou?.exe

Resource

win7-20220414-en

formbook xczm evasion persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

comand? nou?.exe

Resource

win10v2004-20220414-en

formbook xczm evasion persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

xczm

Decoy

graceandnathangetknotted.com

myporndesires.com

alphagamingaccessories.com

51zhuimeng.com

196wrf.info

lubanzizhi.com

107xt.com

jatinangorcity.com

tumblrdatinggame.com

mtorc1inhibitor.com

boogxgenblm.live

iotaneuralnetwork.com

booksinclouds.co.uk

made-in-asiago.tech

myfunbooks.net

rglrgrl.net

azumiyakkyoku.info

qasryna.com

ara-digital.com

barnboost.com

vesseladmin.com

waixiangji.com

reubenarcherrocks.com

finewu.com

homeworkersguild.com

chifeng3.com

rickme.com

snorkellingcouses.com

orendafitness.com

thredami.com

icastmodeling.online

xuankhani.com

dup-sgrd-paris.com

nezamerzaika.online

alotkit.com

madisonventurepartners.com

ivybeyond.com

charitycareerscommunity.com

camdenairshow.com

theferrellcollection.com

kaigofan.com

ddgan59.com

smartfuturez.com

myroofgaf.biz

coyotevalleysaddleshop.com

danunsah.info

inqract.com

autovaldepereira.seat

tlcsigns.net

compassionateaccountability.com

buddhistbot.com

melloweducation.com

cardinalheroes.com

xcdysl.com

pinechain.com

5551005.com

keeperofthebeesnwnj.com

yk014.com

qmailrocks.net

indimeo.com

importinnovationconcept.com

007ind.com

markerclothing.com

bulletkingbedliner.com

fex-tracks.com

Targets

- Target
  
  comand? nou?.exe
- Size
  
  390KB
- MD5
  
  4213a0c5f1cb2ef588cc1097c21a3461
- SHA1
  
  dbf1b38120dd815f96660ba1af0889a599e0fa11
- SHA256
  
  7da99d277c87633b2aab117deab3bfdd6f9cef0d82172264f600e7b385892c37
- SHA512
  
  62e77591ab1446adf82b7ac705b5886eb3e17244574b00337efcfc99e69372cc3f7891364826aa30e27a47e04b936cd654cd9e59d1079e56c5e1f4f904055994
Score

10^/10

formbook xczm evasion persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Blocklisted process makes network request
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxczmevasionpersistenceratspywarestealersuricatatrojan

behavioral2

formbookxczmevasionpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy