formbook | 2adb8bdadf9867460dedfccd61ab3b0fde0af1211b914611f8ea4920f68eaca8 | Triage

Sharing

General

Target

2adb8bdadf9867460dedfccd61ab3b0fde0af1211b914611f8ea4920f68eaca8
Size

536KB
Sample

220521-a3sbkaecan
MD5

d181f7b36ac1fa53299a961be35356c5
SHA1

58fba48328ce1964e3846538636f487adc9bebb2
SHA256

2adb8bdadf9867460dedfccd61ab3b0fde0af1211b914611f8ea4920f68eaca8
SHA512

387e35f6ecf7c2030ff2699aeee316b4495be31ec7d62ba06c781511e8beded03668fa518b6b2459b82ad30d3fb5fd6ae55becbe79c9577e9e4b1a287938f160

Score

10^/10

formbook wus evasion persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wus

Decoy

generativecoaching.net

skillmosaic.com

practicalmaster.com

12aminmiami.com

instagramsupport.online

mainelse.net

qqysmr.com

wealthxd.com

videoadscreator.com

dltzscl.com

cotaforjulyans.com

forcend.com

shinjukufilm.com

bsq30.com

dragonsrose.net

loganbuys.com

wwwfitnessymusica.com

microbladingdublin.com

corporateiconic.com

sunshinegroupnyc.com

Targets

- Target
  
  PL PI.exe
- Size
  
  483KB
- MD5
  
  a55080b594286b0ccaf24ea05141293d
- SHA1
  
  1b7076439313bd90da6d37263a297fb613efc82a
- SHA256
  
  0707523c23666b0535673287616ea82b34e810594ddf19c45a0746d1bd697070
- SHA512
  
  fbf9b42a524985ca74de35338b0968bc54bae7b5b5693927e8a33d0be3175486966e863fcb1b98433d31ad3186cbdc80799e648e82f2a37c7f81a2a62e4445e1
Score

10^/10

formbook wus evasion persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookwusevasionpersistenceratspywarestealersuricatatrojan

behavioral2

formbookwusevasionratspywarestealersuricatatrojan