formbook | 26d664ca784fb1e580452f247fcf9fa04520702309d3af5ff0a0fc222fb625eb | Triage

Submit
Reports

Overview

overview

Static

static

orden de compra.exe

windows7_x64

orden de compra.exe

windows10-2004_x64

Sharing

General

Target

26d664ca784fb1e580452f247fcf9fa04520702309d3af5ff0a0fc222fb625eb
Size

425KB
Sample

220521-dt5r3sgch9
MD5

1edc7d410e58578bc8989ebc17560045
SHA1

2a82e336d821a1af9da94684a777ee4c13e4c406
SHA256

26d664ca784fb1e580452f247fcf9fa04520702309d3af5ff0a0fc222fb625eb
SHA512

4035643dcb52eebb60f08bbecc91ea4b040563e3385354e07d3d98861bf274242297550b82c5db3ae650ab2e7db08569d39e44ba7c01047b59e57182b8f22c7c

Score

10^/10

formbook kvsz persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

orden de compra.exe

Resource

win7-20220414-en

formbook kvsz persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

orden de compra.exe

Resource

win10v2004-20220414-en

formbook kvsz persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

bocapvang.net

315px.com

eugeniobarros.tech

sif.email

xn--oorv2aj6bj7cds0d6p4b.com

polychips.com

grouptulip.win

landbank.site

bet365c.win

inbonz.com

outofthepark.today

jeaniney.com

weeip.com

dmoneylife.com

rticlubs.com

reisedating.com

marijuanadogbone.com

funippon.com

banknotesync.com

alexandre-boissard.com

valorartetattoo.com

savetheverse.com

specificpcshop.online

h0jt1y.accountant

jiqing3.com

alfaranakle.com

saft-store.com

wanderingcollective.com

santandermobi.online

557023.top

loulancaster.com

vedattelekom.com

jatinangorcity.com

goldencanaries.com

edgaralanbro.com

levelretail.com

taylorsandbek.com

upbeatnewyork.com

motoreselectricoschihuahua.com

hotair.wales

getawomantodoit.com

xiaoxiong365.com

cloudboxsupport.com

vecteur-u-shop.com

fex-tracks.com

Targets

- Target
  
  orden de compra.exe
- Size
  
  519KB
- MD5
  
  f54815ffc4db44ce06b3012f9d014f31
- SHA1
  
  2f0939b658ef735025b0c76c20c0101003076529
- SHA256
  
  e3262e18e77da24473b5af2117f10a3121c8ed1a832c6e1b0f5a8f0d7e5fecda
- SHA512
  
  76c1152640c367b4cefae86ec8c2dabc434659e29c7bcddc3a2af37c39fcf445a746021204a695f6b739d89a145331a28348cda4060c9668e2224d795505b9c7
Score

10^/10

formbook kvsz persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookkvszpersistenceratspywarestealersuricatatrojan

behavioral2

formbookkvszpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy