formbook | 145d4f7a7e4fc11b9879cd73c9c5b94b911492c73585719ac5a2373fc4c0c735 | Triage

Submit
Reports

Overview

overview

Static

static

PO 0897544...78.exe

windows7_x64

PO 0897544...78.exe

windows10-2004_x64

Sharing

General

Target

145d4f7a7e4fc11b9879cd73c9c5b94b911492c73585719ac5a2373fc4c0c735
Size

521KB
Sample

220521-a6tnssedcq
MD5

73e3aeb8b94c9bbfff798144cf4e207b
SHA1

9070b4180bcb1b04c7771167b286826d7f103947
SHA256

145d4f7a7e4fc11b9879cd73c9c5b94b911492c73585719ac5a2373fc4c0c735
SHA512

92e047ba6968487cd0ca9e0c71b93ccfc1a07dbbcb0bb4135c7a05eb8754860a814e1a5e78b4e4b0f8847ebcddc9205c7a82e7d5c9366ced739b849b85ff344a

Score

10^/10

formbook q5e persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO 089754432 c776878.exe

Resource

win7-20220414-en

formbook q5e persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO 089754432 c776878.exe

Resource

win10v2004-20220414-en

formbook q5e persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

giftstgg.com

imonsanto.com

invoicefor.com

qfhxlw.com

wsykyy.com

gladius.network

peliculaslatino.online

timookflour.com

gxkuangjian.com

utvklj.men

rabota-v-avon.online

sheashealingway.com

thoitrangaoda.com

rytechweb.com

circuit69.com

crowd-design.biz

carosiandrhee.com

778d88.com

calvinkl.com

cjkit.com

jgkwhgxe.com

sanitascuadromedico.com

mellorangello.com

whiteinnocence.com

medtechdesignstudio.net

nurturingskin.com

guardyourweb.net

juw2017.com

jnheroes.com

damicosoftwaresystems.com

gesband.com

onwardsandupwards.info

gopropackaging.com

centerforaunts.com

sarrahshewdesign.com

intelligentcoach.net

iasisf.agency

products-news.com

calvinspring.com

100zan.site

9mahina.com

saleaustralianboots.com

floatinginfotech.com

calcinoneweek.com

yofdyk.com

Targets

- Target
  
  PO 089754432 c776878.exe
- Size
  
  750KB
- MD5
  
  229dd4646e1b0f3ec0329e4638d42fae
- SHA1
  
  8507085efdc72cc46cdf8c71af021809efd5aa93
- SHA256
  
  89622e7b31d7c624d46b02fedd8c17b214e307b243c2143a1fab97e067827922
- SHA512
  
  bb20ff81d8849df3aa3cbacd437438e28386ca1bc559a5e720877aaf9fe3a367c5993ff98aea6af06a2048038f58142078abbeaad68bc97ef6ff83e3189a4599
Score

10^/10

formbook q5e persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookq5epersistenceratspywarestealersuricatatrojan

behavioral2

formbookq5epersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy