formbook | a3aa28d96664fc95cf9b74941b6c0015e5c3d18dd5efcee33e1dd1773aa3316d | Triage

Submit
Reports

Overview

overview

Static

static

H2pjyhEAKkZfHdt.exe

windows7_x64

H2pjyhEAKkZfHdt.exe

windows10-2004_x64

Sharing

General

Target

a3aa28d96664fc95cf9b74941b6c0015e5c3d18dd5efcee33e1dd1773aa3316d
Size

306KB
Sample

220521-cv5ysshfcq
MD5

c6954abe475309997c919af83a0cf3eb
SHA1

277f10e1fd66665ee3fd03f3c21572c98c54fc5f
SHA256

a3aa28d96664fc95cf9b74941b6c0015e5c3d18dd5efcee33e1dd1773aa3316d
SHA512

3c4d398bbc3acf948e6e7e3944de3af21196b30f0d64c2aec77d20af486a919aace96a2dfd4ef95b7a8361f11dcb380cf771dad72d2d8373f60e52bbcee8f23a

Score

10^/10

formbook duj evasion persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

H2pjyhEAKkZfHdt.exe

Resource

win7-20220414-en

formbook duj evasion persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

H2pjyhEAKkZfHdt.exe

Resource

win10v2004-20220414-en

formbook duj evasion persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

duj

Decoy

deapink.pink

tkmdz.com

nytzshicai.com

photos-identite-dijon.com

ekanun.net

xn--fiqy4bxl57l9sag6f6wb.ink

slivercat5.com

ai-ethics.net

510ns.com

inotherways.com

ridesharesettelment.com

zjxiangnong.com

aoraessentials.com

sheap-list.com

heshengqy.com

experts-comptables-paris-17.com

parissummerolympics2024.info

gtyx88.com

devopsonjob.com

vodacred.com

kandilakes.com

digitalcoincollective.com

seedrazer.com

24houremergencyroomnearme.com

xn--lg3bu5if3f.com

557486.top

czqfkj.com

running0711.com

aimwizard.com

holdingtoken.com

qgyldzw.com

mt1618.com

chiquicreates.com

0pe345.com

shopmomsthebomb.com

cheerzhangover.com

tascoxuanphuong.info

suitablepersonalprotection.com

dh12345.com

pixelfocusphotography.com

tianhegongcheng.com

foodsweet.com

hoamailand.com

btr96.info

eatsmartcookie.com

studebakergs.com

110422.info

infoicobit.com

northeastphillyshuttle.com

lover-road.com

pacificsolo.com

intangiblebitcoin.info

quericus.tech

indianchemicalmart.com

trublueroanokeva.com

apollontimes.news

interiordesignersudbury.com

klarkindustria.com

fraisgr.com

marketersarbitrage.com

adoriagroep.com

hxjfqe.com

stoneandstran.com

genkicoffee.com

spatren.com

Targets

- Target
  
  H2pjyhEAKkZfHdt.exe
- Size
  
  389KB
- MD5
  
  89d09a60f52f57c3ce453088e2e55929
- SHA1
  
  d44fce4891c9cbf331c2fe6d9d579f23b10f4089
- SHA256
  
  64379371f079edd1bb0d1a26a98e0a487c4e89a468f60674d803f929d24d3ecb
- SHA512
  
  f9c7e1ddc911d147146e9604dca1130f92e94589d4f9a415d7aa082910add68a7c7496ad633b6bea6abb9db5dcf1c8eb1b94a1dabe73f9e7ed067bc2cdd3ccdc
Score

10^/10

formbook duj evasion persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookdujevasionpersistenceratspywarestealersuricatatrojan

behavioral2

formbookdujevasionpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy