formbook | 97c8b86636fb4b9c0c95d9c445d89cb712e2776b3e514295a72d11601450709a | Triage

Submit
Reports

Overview

overview

Static

static

SOA 22072020.exe

windows7_x64

SOA 22072020.exe

windows10-2004_x64

Sharing

General

Target

97c8b86636fb4b9c0c95d9c445d89cb712e2776b3e514295a72d11601450709a
Size

271KB
Sample

220521-adfapscheq
MD5

4dbe32bf405ac8daa47053f64eac4776
SHA1

f2dfe82b1b53d902811ff84cef9ed9b3f7676ae4
SHA256

97c8b86636fb4b9c0c95d9c445d89cb712e2776b3e514295a72d11601450709a
SHA512

0081935509f0f6345e385de3b8ad7ae35f2f0ba85c4dc4ee2ef8676e2f37f9ce44d268ec25c8110f1e01c3543799571769a45be727062ebdb64714ad6b3005a6

Score

10^/10

formbook hnh evasion persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

SOA 22072020.exe

Resource

win7-20220414-en

formbook hnh evasion persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SOA 22072020.exe

Resource

win10v2004-20220414-en

formbook hnh evasion rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hnh

Decoy

stackingplans.info

landscapingcanberra.com

apxlegal.com

gzajs.com

senladvocaten.com

stephanieabella.com

indivmgtsvc.com

wildlife-botanicals.com

fingrfull.com

ustar-electric.com

timesharebefree.com

safefirstresponder.com

giliticketoperator.com

silverstarscents.com

4752condordrive.info

joomak.net

new-auto-news.com

ottodesign.store

kxg01.com

chrisoncreation.com

robielutsey.com

dhayaltechsystems.com

giftbizz.com

outpost-security.com

wwwjinsha937.com

pro-piedades.com

buffalocoresupply.com

netw.site

gooddayrental.com

qingyujian.com

atiasyariv.com

immaver.com

intervention4change.com

landlockedtraveler.com

onionfaucet.win

fairygroundsocks.com

adrianscharfetter.com

prolumen.biz

ibkmalakhit.net

rivertownehomeforsale.com

productsarehard.com

recoreltd.com

111972.info

wahzik.com

lackyshopping.com

xn--u8jxbl0m2g4a1h6q.com

ousxqh.men

bobingxiaochengxu.com

fullkiwi.com

dearwaltdisney.com

njduqiang.com

firesideeditions.com

cuagonhuaviettin.com

imaginethatideas.com

tian.agency

astrosolarfast.com

chosentechshopandreview.com

avatar99.com

lakazanono.com

news-chinatimes.com

www245234.com

hojespecial.com

x13q876dvq.com

tmtcaa.info

patlod.com

Targets

- Target
  
  SOA 22072020.exe
- Size
  
  371KB
- MD5
  
  8f0593680392f53ee586bb66c2885d8f
- SHA1
  
  320d855a8797fbd3bbd9871c9ac747c9fba1c73d
- SHA256
  
  c53c864741e005d5b04ca3349e81597e61b8ee3ecd7a03cddd2d15d955cbb04a
- SHA512
  
  cf5ba58c64c9c25263bfb18528358659e08384fddf41ff7619308abf4962860a281a2ef91ca4321c0da5ae7af4764c6e9f3e5ba3991fbc5c5293a32df744e535
Score

10^/10

formbook hnh evasion persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookhnhevasionpersistenceratspywarestealersuricatatrojan

behavioral2

formbookhnhevasionratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy