formbook | aaf433c2a97b43083875cd68addd1916972f8f9d4cbf1f69d8e835c593714f83 | Triage

Submit
Reports

Overview

overview

Static

static

New order.exe

windows7_x64

New order.exe

windows10-2004_x64

Sharing

General

Target

aaf433c2a97b43083875cd68addd1916972f8f9d4cbf1f69d8e835c593714f83
Size

213KB
Sample

220521-mmdvfsfbdn
MD5

80ffe4a0793284646c0753ed08f17c46
SHA1

d44e8d38cd1303dad5fff3eaec3c31e2fe179325
SHA256

aaf433c2a97b43083875cd68addd1916972f8f9d4cbf1f69d8e835c593714f83
SHA512

d5904ad03dc89050d9da75bf5d1a7aedb3c448382074d799b08ce58cb04c11d5afa0077c054e2ae9c2c60f07a25afe7722af322d6d443354977699dd8469ef7a

Score

10^/10

formbook 8utr persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

New order.exe

Resource

win7-20220414-en

formbook 8utr persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

New order.exe

Resource

win10v2004-20220414-en

formbook 8utr persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

8utr

Decoy

krizeye.com

grupojoga.com

dgptj.com

aaclewyo.win

alyssamckinneyphoto.com

thedyeworksbv.com

getrichclub.com

founderscard.net

mcclainpick.com

vault.estate

amriglubal.com

erachain.ltd

elanyawine.com

whitedogblackcatgb.com

pnroiz.men

worlviewtravel.com

foundbyfind.com

hurst-mail.net

cottonpowerbd.com

j-lavainechampagne.com

bobbyobb.com

accelerated-russian.com

coltonlawyer.com

davidmoultonmd.com

maannyy.com

nouvelleconso.com

kimuntu-edition.com

web-h-service.net

thefallofcalifornia.com

vizoomcz.com

natestetic.com

xn--6xw0on0td32a.com

didjindustry.com

blogmotormadrid.com

floodforesp.com

geniostream.com

agriculverseeds.com

geshangni.com

barackbook.net

klomz.com

explore-life.com

annmackey.com

tengosincio.com

thirstytwink.com

sugo.info

thebatterysolutions.com

goldenocker.com

rujella.com

kzvzqy.info

340fyu.info

storida.com

avevideo.com

message-qu0m4c8hyiora5pwl.faith

trexgo.com

avalon.services

casakristal.com

koorahasrya.com

chungcut3thanglongcapital.com

vidyarthees.com

stabletransformations.net

rani.ltd

vdwq80a.info

elrancheromexicangrillaz.com

movueclipvideo.com

masionlex.info

Targets

- Target
  
  New order.exe
- Size
  
  281KB
- MD5
  
  44d67d39cf033d2b1c5f669e181456dd
- SHA1
  
  93fa54a9399eafe1faf0810fc6f7d4c1daa77ee7
- SHA256
  
  7292b78a638622778908fde4d5ff1f66b4d2ed905a0f36622b28da645e0f0faf
- SHA512
  
  d549df5a78f54f51ac601263a2b61c69ef328a6cb2619244b1428b0ec46895722c7c89f8541820d03e943a0a6d39b89552c830ea156b08413ad4192c4d995d21
Score

10^/10

formbook 8utr persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbook8utrpersistenceratspywarestealersuricatatrojan

behavioral2

formbook8utrpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy