formbook | df417213b446bedf049255ef08d9deca75544ec1f6931633b7d58c31ea167f13 | Triage

Submit
Reports

Overview

overview

Static

static

1TOFpZKvqyRVuuy.exe

windows7_x64

1TOFpZKvqyRVuuy.exe

windows10-2004_x64

Sharing

General

Target

df417213b446bedf049255ef08d9deca75544ec1f6931633b7d58c31ea167f13
Size

265KB
Sample

220521-ce7gpadge5
MD5

4f8dc90155bd0528495ddef2c7453c54
SHA1

52b710b3c7550729871b83223382ff601d44c016
SHA256

df417213b446bedf049255ef08d9deca75544ec1f6931633b7d58c31ea167f13
SHA512

dad4ae66e8cfdbecd667d5077875ad584e31a050f8fafbdb481b6552518632564070266e6650fde0d9355681ad6a242d2472f36353b46975c7625951f3a0ebc1

Score

10^/10

formbook duj evasion persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

1TOFpZKvqyRVuuy.exe

Resource

win7-20220414-en

formbook duj evasion rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

1TOFpZKvqyRVuuy.exe

Resource

win10v2004-20220414-en

formbook duj evasion persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

duj

Decoy

deapink.pink

tkmdz.com

nytzshicai.com

photos-identite-dijon.com

ekanun.net

xn--fiqy4bxl57l9sag6f6wb.ink

slivercat5.com

ai-ethics.net

510ns.com

inotherways.com

ridesharesettelment.com

zjxiangnong.com

aoraessentials.com

sheap-list.com

heshengqy.com

experts-comptables-paris-17.com

parissummerolympics2024.info

gtyx88.com

devopsonjob.com

vodacred.com

kandilakes.com

digitalcoincollective.com

seedrazer.com

24houremergencyroomnearme.com

xn--lg3bu5if3f.com

557486.top

czqfkj.com

running0711.com

aimwizard.com

holdingtoken.com

qgyldzw.com

mt1618.com

chiquicreates.com

0pe345.com

shopmomsthebomb.com

cheerzhangover.com

tascoxuanphuong.info

suitablepersonalprotection.com

dh12345.com

pixelfocusphotography.com

tianhegongcheng.com

foodsweet.com

hoamailand.com

btr96.info

eatsmartcookie.com

studebakergs.com

110422.info

infoicobit.com

northeastphillyshuttle.com

lover-road.com

pacificsolo.com

intangiblebitcoin.info

quericus.tech

indianchemicalmart.com

trublueroanokeva.com

apollontimes.news

interiordesignersudbury.com

klarkindustria.com

fraisgr.com

marketersarbitrage.com

adoriagroep.com

hxjfqe.com

stoneandstran.com

genkicoffee.com

spatren.com

Targets

- Target
  
  1TOFpZKvqyRVuuy.exe
- Size
  
  302KB
- MD5
  
  4a15e3620504681438565df947f5a702
- SHA1
  
  750e4c022b615a9cc9ff4a8ebb3091e66244815f
- SHA256
  
  b43bca6dcc03b6c289b15fd6dde4bde2dee13d024f08b0ca47efefc9d9aa3d8c
- SHA512
  
  60d107c9a2d75c899919a69f55020ca60053ce164a8a796af78202fa1b56127c595d7b846da36c22da16390e1f0d51fdfca7902e8d7e25b3735115c16f4472e4
Score

10^/10

formbook duj evasion rat spyware stealer trojan persistence suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookdujevasionratspywarestealertrojan

behavioral2

formbookdujevasionpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy