formbook

General

Target

a9b2915ab0f0da7e2fa4b9f0e9b110643a87af565bb90d9065863e1fc88896e2
Size

411KB
Sample

220521-ctnm5aheel
MD5

9215868f234a1214057eb0ea27ee375a
SHA1

8311e78fb5bef1ad749da4479d7ff4ddc97af63d
SHA256

a9b2915ab0f0da7e2fa4b9f0e9b110643a87af565bb90d9065863e1fc88896e2
SHA512

ac0915a5e327236312291a61acfe99386aa03a3d8cdd00eab69d8b89260fcc707e77aba1244772566d7048630f674313ec64e85d515d5d15b1405ce1db5884d3

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hnh

Decoy

stackingplans.info

landscapingcanberra.com

apxlegal.com

gzajs.com

senladvocaten.com

stephanieabella.com

indivmgtsvc.com

wildlife-botanicals.com

fingrfull.com

ustar-electric.com

timesharebefree.com

safefirstresponder.com

giliticketoperator.com

silverstarscents.com

4752condordrive.info

joomak.net

new-auto-news.com

ottodesign.store

kxg01.com

chrisoncreation.com

Targets

- Target
  
  SOA.exe
- Size
  
  450KB
- MD5
  
  f2a45dd3bf1205ff6053bbdd90665946
- SHA1
  
  0b8a2c567a1a896821f8a62b04b9a4ba0a7d1009
- SHA256
  
  3305e88d2594770eced662a94933358d2d1d57534aebb9c6b7876e50de58a8a1
- SHA512
  
  de27e1bd31e96c1f720c4371eb63e3cebc18447247099d0f789f1d4479a167b2d932e0144e15bbf14a2de3ae766a7476f29649bb3371e270b4cca446fe0710c9
Score

10^/10

formbook hnh evasion persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2