formbook | a260058a1fd26d9661a5258ef8deba43c34718a49da63ba059d21a7a6c1778de | Triage

Submit
Reports

Overview

overview

Static

static

PURCHASE O...67.exe

windows7_x64

PURCHASE O...67.exe

windows10-2004_x64

Sharing

General

Target

a260058a1fd26d9661a5258ef8deba43c34718a49da63ba059d21a7a6c1778de
Size

266KB
Sample

220521-cwfejaeeg4
MD5

840b556e294a738229690a21625c1e27
SHA1

7cfeb2b0500452bd21a0bfac14faf8533602246c
SHA256

a260058a1fd26d9661a5258ef8deba43c34718a49da63ba059d21a7a6c1778de
SHA512

88653a97ceda6a97aed4e58d96fe9c1e9cd5e2e5545465702d24ad79ff7a95eb75da2a24ce59c330d3ef326d42e2e7919fdba5c1ca338e3ed6563179db271390

Score

10^/10

formbook wdm evasion persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PURCHASE ORDER NO7654567.exe

Resource

win7-20220414-en

formbook wdm evasion persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PURCHASE ORDER NO7654567.exe

Resource

win10v2004-20220414-en

formbook wdm evasion persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wdm

Decoy

rutherfordwomansclub.net

theclassicapplique.com

7-zd.com

kmngeg.info

claudinelloriot.com

bitcoinpride.info

mfmhdev.com

eenhar.com

onlinesmartnews.com

utilitariostucuman.com

find-quality-rentalcar.com

bodyartdnvr.science

silverfoxtail.com

zbrunda.com

killosaurus.com

heatheratl.com

xn--xhq30huts43cgs2e.com

lipmat.com

gegdon.net

foxinsurancedmv.com

jaydendownes.info

realtalkpenn.com

kfjinke.com

xctinctco.com

mrcarew.media

suggestionapi.com

lightblueproject.net

lijhenlian.com

37876delta.com

dieklimaretter.com

east-capital.com

temkosh.com

meikemeilin.com

vh-biotechnology.com

laugh-now.com

saudebazz.com

kangauz.com

wholisticnutritionlab.com

barcheusate.biz

wwwbetclic.com

caixuwood.com

282opebet.com

filmbagusbaru.info

balmybutter.com

redeemcardpoint.com

karyamotornias.com

vipslotss.com

9cjdr2.info

balintinc.com

gm610.com

sz-jgs.com

leejbarclayart.com

thesociellestudio.com

antiquekitten.com

luxuriouscarnival.com

qjbdy.com

international-connector.com

libertiesplumbers.com

682zy.com

kexuetanmi.net

madebymekits.com

luxuryexperienceinparadise.com

theconnex.com

taylorexpresslnc.com

becouf.com

Targets

- Target
  
  PURCHASE ORDER NO7654567.exe
- Size
  
  298KB
- MD5
  
  ab99d25b2996150cc085ab8eae483f2d
- SHA1
  
  84f5200e330d6d4be843564d3494056a90da8fad
- SHA256
  
  a46eb9ad512b0b9355c24ab2320a1cd25758bc5e90485a476596982d41f9fe56
- SHA512
  
  cb328d225b61ce7231579488d29f62e5cef2fb9944abe8b5915fd86a264b76f794cd7bf12e5536a218cfcfcd38fe76e7c7a3dbd1e6fe0300cf33979b84929a0b
Score

10^/10

formbook wdm evasion persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookwdmevasionpersistenceratspywarestealersuricatatrojan

behavioral2

formbookwdmevasionpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy