formbook | 1d65e497a5fd1c02c83a04fba5cd07130ac17bda7b476ee70a0bf8202eed4be5 | Triage

Submit
Reports

Overview

overview

Static

static

muestras d...os.exe

windows7_x64

muestras d...os.exe

windows10-2004_x64

Sharing

General

Target

1d65e497a5fd1c02c83a04fba5cd07130ac17bda7b476ee70a0bf8202eed4be5
Size

274KB
Sample

220521-bkrsracab6
MD5

18a6ac01533cce7b53a04314810349c1
SHA1

76024516e9c136bc0639e0f2f0e337940496c46c
SHA256

1d65e497a5fd1c02c83a04fba5cd07130ac17bda7b476ee70a0bf8202eed4be5
SHA512

94aad85c5df3b9bfccac5f6a089ff859fbd42e593461009e5714963313974216e9333478fe4eacc45636ecfb3559f9f8d74dac2f7ef6c0db1a035f28ce7f09c9

Score

10^/10

formbook n7ak persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

muestras de productos.exe

Resource

win7-20220414-en

formbook n7ak persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

muestras de productos.exe

Resource

win10v2004-20220414-en

formbook n7ak persistence rat spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

bazarmoney.net

librosdecienciaficcion.com

shopmomsthebomb.com

vanjacob.com

tgyaa.com

theporncollective.net

hydrabadproperties.com

brindesecologicos.com

sayagayrimenkul.net

4btoken.com

shycedu.com

overall789.top

maison-pierre-bayle.com

elitemediamasters.com

sharmasfabrics.com

hoshamp.com

myultimateleadgenerator.com

office4u.info

thaimart1.com

ultimatewindowusa.com

twoblazesartworks.com

airteloffer.com

shoupaizhao.com

741dakotadr.info

books4arab.net

artedelcioccolato.biz

tjqcu.info

teccoop.net

maturebridesdressguide.com

excelcapfunding.com

bitcoinak.com

profileorderflow.com

unbelievabowboutique.com

midlandshomesolutionsltd.com

healthywithhook.com

stirlingpiper.com

manfast.online

arikorin.com

texastrustedinsurance.com

moodandmystery.com

yh77808.com

s-immotanger.com

runzexd.com

meteoannecy.net

joomlas123.info

Targets

- Target
  
  muestras de productos.exe
- Size
  
  544KB
- MD5
  
  085e4e06334e8dbab10d45a5dd96c72e
- SHA1
  
  b665738b4fb841dd02699df85f6ba4cb7b2ad2b9
- SHA256
  
  9b9931b133a5a15ee73de2ffd8b6f2f7b80e834cf4a3cf17f030c479b21abf9b
- SHA512
  
  c9b5b9ecffc09a2f11a866c6a0264e3687495bda69c4a728a113535b1f9fa008f944eb4d1a50601423ccdb8e329ea6ece9db26e108268efbad1537de6976057a
Score

10^/10

formbook n7ak persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

formbookn7akpersistenceratspywarestealersuricatatrojan

behavioral2

formbookn7akpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy