formbook

General

Target

deeed37a10d7707ee60bcaec58b745252a61f4554a1a41a5bd8555bff054b6e0
Size

351KB
Sample

220521-ce9xtagggq
MD5

a7e2a6ff0627a58b9b460dda9a2567ef
SHA1

f309416b674193104b1ef226e5e613928e9c47a2
SHA256

deeed37a10d7707ee60bcaec58b745252a61f4554a1a41a5bd8555bff054b6e0
SHA512

47de3477dbaa1cea7c887761b20c71a0b285f442f89bfd8127faa6af09decb7afb893ee1f71fc022db42e101a49235354cfabb758f9adc294219798dde184e2a

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

jac0

Decoy

chatbot-consulting.com

alynt.info

saudiarabianwomenjobs.biz

kingtour.info

poshlacore.com

hypnosetherapist.com

tampahurricanrelief.com

qqgan16.com

tag-designco.com

viaeviastaff.com

unhosting.today

apple-request.info

whitesauce.net

627evq.info

mygolfingwarehouse.com

materiaprojects.com

rj-ipt.net

cordences.com

invescoapconference.com

supplementcult.com

Targets

- Target
  
  ADHOC RFQ-97571784.bat
- Size
  
  405KB
- MD5
  
  2d2db3a8698206d1e4b0928f4910de8c
- SHA1
  
  eb735b973979d0a6c3dbd32638c84990c4503a37
- SHA256
  
  3b7dc89103d8c49eea88bd302c37e6b9c1f1ae13bdd38c9ff9709568b9f56e3b
- SHA512
  
  5e9ce4fc978df75833069dbdd0de93ef07d2141b3facbee7e69e7177c02d5fe4b7e65e348d7179997d726961905e655fa9644652bf208ff6f47c798ef4683a11
Score

10^/10

formbook jac0 coreentity persistence rat rezer0 spyware stealer suricata trojan
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CoreEntity .NET Packer

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

ReZer0 packer

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2