formbook | b13f0477dc1fa39cf53bb31ea61dc7068e57135953283538cb16155703d6c609 | Triage

Submit
Reports

Overview

overview

Static

static

mgkreERjvr7XiMz.exe

windows7_x64

mgkreERjvr7XiMz.exe

windows10-2004_x64

Sharing

General

Target

b13f0477dc1fa39cf53bb31ea61dc7068e57135953283538cb16155703d6c609
Size

349KB
Sample

220521-crqdyahder
MD5

fd8dd42ea9367a5baec9cceb9b3475c7
SHA1

75083c96ed2cfcc7e6eb335ac7d0dd7f5e2bfcd0
SHA256

b13f0477dc1fa39cf53bb31ea61dc7068e57135953283538cb16155703d6c609
SHA512

30c138778a14e9d6c2d27d8f1518ab8465969ea2dc7517e48db6083b7378295a67cd3fa697727fdd309d95cba8793ace11564d072e2a74427217b4f3b9c76981

Score

10^/10

formbook duj evasion persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

mgkreERjvr7XiMz.exe

Resource

win7-20220414-en

formbook duj evasion persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

mgkreERjvr7XiMz.exe

Resource

win10v2004-20220414-en

formbook duj evasion rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

duj

Decoy

deapink.pink

tkmdz.com

nytzshicai.com

photos-identite-dijon.com

ekanun.net

xn--fiqy4bxl57l9sag6f6wb.ink

slivercat5.com

ai-ethics.net

510ns.com

inotherways.com

ridesharesettelment.com

zjxiangnong.com

aoraessentials.com

sheap-list.com

heshengqy.com

experts-comptables-paris-17.com

parissummerolympics2024.info

gtyx88.com

devopsonjob.com

vodacred.com

kandilakes.com

digitalcoincollective.com

seedrazer.com

24houremergencyroomnearme.com

xn--lg3bu5if3f.com

557486.top

czqfkj.com

running0711.com

aimwizard.com

holdingtoken.com

qgyldzw.com

mt1618.com

chiquicreates.com

0pe345.com

shopmomsthebomb.com

cheerzhangover.com

tascoxuanphuong.info

suitablepersonalprotection.com

dh12345.com

pixelfocusphotography.com

tianhegongcheng.com

foodsweet.com

hoamailand.com

btr96.info

eatsmartcookie.com

studebakergs.com

110422.info

infoicobit.com

northeastphillyshuttle.com

lover-road.com

pacificsolo.com

intangiblebitcoin.info

quericus.tech

indianchemicalmart.com

trublueroanokeva.com

apollontimes.news

interiordesignersudbury.com

klarkindustria.com

fraisgr.com

marketersarbitrage.com

adoriagroep.com

hxjfqe.com

stoneandstran.com

genkicoffee.com

spatren.com

Targets

- Target
  
  mgkreERjvr7XiMz.exe
- Size
  
  404KB
- MD5
  
  332c98e548482176fda185f932f2ed18
- SHA1
  
  8bd6cfdc0950cd2fad8f64765b6107cc2d6f87eb
- SHA256
  
  ce6d1fc239eb571fde9427c0d7f11d7b6a7a1c0466711524b690ca0de3556a6b
- SHA512
  
  20a1a33c6e4358469ea2227687fdcb7eec13503a483c866e4196ac70a639b8320e496d6b2bb75facbd0789e0bd01aed1c9bfa0626c3b136c99b27b8840d5696a
Score

10^/10

formbook duj evasion persistence rat spyware stealer trojan suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookdujevasionpersistenceratspywarestealertrojan

behavioral2

formbookdujevasionratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy