formbook | 89b44ca030f49c36a138e2c14f6ce2e9d88a36a610033bc310200d44c6061445 | Triage

Submit
Reports

Overview

overview

Static

static

New Order 984994.exe

windows7_x64

New Order 984994.exe

windows10-2004_x64

Sharing

General

Target

89b44ca030f49c36a138e2c14f6ce2e9d88a36a610033bc310200d44c6061445
Size

410KB
Sample

220521-brwehsfddp
MD5

1aa7c6c750e7fae09ae3e462e2307b67
SHA1

b1600b9282d890dcd47eeef27b1a3dd6542fff11
SHA256

89b44ca030f49c36a138e2c14f6ce2e9d88a36a610033bc310200d44c6061445
SHA512

118f8106e915595e0adb591bd9e5ade000130cc84e171e0db009f0ada6e3875cd2202d9f71d649357a005658eb31159940015fde07cba76585be7ac84244545d

Score

10^/10

formbook q5e persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

New Order 984994.exe

Resource

win7-20220414-en

formbook q5e persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

New Order 984994.exe

Resource

win10v2004-20220414-en

formbook q5e persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

giftstgg.com

imonsanto.com

invoicefor.com

qfhxlw.com

wsykyy.com

gladius.network

peliculaslatino.online

timookflour.com

gxkuangjian.com

utvklj.men

rabota-v-avon.online

sheashealingway.com

thoitrangaoda.com

rytechweb.com

circuit69.com

crowd-design.biz

carosiandrhee.com

778d88.com

calvinkl.com

cjkit.com

jgkwhgxe.com

sanitascuadromedico.com

mellorangello.com

whiteinnocence.com

medtechdesignstudio.net

nurturingskin.com

guardyourweb.net

juw2017.com

jnheroes.com

damicosoftwaresystems.com

gesband.com

onwardsandupwards.info

gopropackaging.com

centerforaunts.com

sarrahshewdesign.com

intelligentcoach.net

iasisf.agency

products-news.com

calvinspring.com

100zan.site

9mahina.com

saleaustralianboots.com

floatinginfotech.com

calcinoneweek.com

yofdyk.com

Targets

- Target
  
  New Order 984994.exe
- Size
  
  494KB
- MD5
  
  3a92350e5c65597f42e06a910a067f12
- SHA1
  
  02946e812bc7082e8454deaa124571aa158aa680
- SHA256
  
  bb0c96dd4021c9d4f7b7f85ce5372ef74f7ba8c1a257d2c152db052020219799
- SHA512
  
  840c43470a54268711beee1dad860cf5efabb6dd9995cb522198e459914c4392d19b94bdfe7eb763d8929641fb900d57c1cc2b03efc685dba8ec973d5ad80127
Score

10^/10

formbook q5e persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookq5epersistenceratspywarestealersuricatatrojan

behavioral2

formbookq5epersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy