formbook | f466700a7f45a812f832c3d869bd6453aef3a292f3e2cccc39b18e20a3e05203 | Triage

Submit
Reports

Overview

overview

Static

static

yeni sipari?.exe

windows7_x64

yeni sipari?.exe

windows10-2004_x64

Sharing

General

Target

f466700a7f45a812f832c3d869bd6453aef3a292f3e2cccc39b18e20a3e05203
Size

570KB
Sample

220521-b945dagefj
MD5

197120fbf7a74115cccd479fda8ea4ab
SHA1

7707a427178a01fa1b3aeccee3e67b912347cdcc
SHA256

f466700a7f45a812f832c3d869bd6453aef3a292f3e2cccc39b18e20a3e05203
SHA512

a1fb4ba77783f3ac1899108f993d2adf4e8442d3d0fe1de773bd73c1a9ed994b296c98891763d135364529c8bb9544ee34fd0a6191239b17c44fb0bafe00ddae

Score

10^/10

formbook kvsz persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

yeni sipari?.exe

Resource

win7-20220414-en

formbook kvsz rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

yeni sipari?.exe

Resource

win10v2004-20220414-en

formbook kvsz persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

krii8it.com

etroty.com

siliconetechsolutions.com

idoukang.net

jb5w3c.download

cmvtulancingo.com

duniageo.com

therisc.com

recruitwith-rr.com

liential.com

americavolcano.win

miyario.com

theballerinashoecompany.com

43u99.com

hananoame.com

wwwglowhaus.net

crowdcoins.biz

icograda.net

fujiansoles.com

bliss-okachimachi.com

socalautobahn.com

140sy.com

digitalreceived.com

nmgwen1.com

kkpbk.info

mysticleggings.com

doubble.design

votenoissue44.com

gamingchairss.com

cccav23231.com

hautecoiffurevirginhair.com

jhucw.info

facultet.net

agriculturaldrill.com

bettingonline.info

seorowipe.com

newtampahomeloans.com

1clickapp.net

2022xx.com

freepartmanual.com

bellafacciacollection.com

auctionnecrotic.info

unico-equestrian.com

hui16st.com

aliapourvous.com

ucbhvc.info

weddingstatement.com

rahasiauang.com

historia10.com

theumbulizer.com

hemphorowhenua.net

bidrainfoage.com

flowofhealing.com

quintessence-symposium.com

yunslee.com

razayakfoods.com

aloofad.com

entrepreneurextraordinaire.net

dtxjna.info

xerpsol.com

lilihj.com

xelesthiainc.com

reikiwithnaomi.com

married-to-a-stepmom.com

regular8.info

Targets

- Target
  
  yeni sipari?.exe
- Size
  
  719KB
- MD5
  
  2209b47aae001d2bd001bfdefc337f68
- SHA1
  
  bb4984f3c1f8780069ec094b93668e9c45d65187
- SHA256
  
  ace900e217f27e8f699718623c3c2dcc7bf91337ff0ff91fc5a365a68fd7ba65
- SHA512
  
  d206f7aa864fce2e4592842fbd50b05ef937d756a1078884e6c19cf65adfe61e205b7e1a4f6350a503a323cda216036b7301919e7ec70aa6840edc2bed8b8ea0
Score

10^/10

formbook kvsz rat spyware stealer trojan persistence suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookkvszratspywarestealertrojan

behavioral2

formbookkvszpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy