formbook

General

Target

4c71d9af7f2460a7467b01ff03cfb4b060af418a050afa4895e4feea6c6ca322
Size

208KB
Sample

220521-mmfztafbdr
MD5

07d431aabd1c64a305521f0eab14c186
SHA1

888a88a96efc6fad5b4ab2c5ec32bc962bdc82b2
SHA256

4c71d9af7f2460a7467b01ff03cfb4b060af418a050afa4895e4feea6c6ca322
SHA512

5d78fd7f6de45af36942554e88bbd2debff18e0f15792e3ca16aa197723eb1dc38de854ea8aa99eda0725112b74cdae382653c2acfd7b37d08fad788abf354cf

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b0y

Decoy

studiokopa.net

captaindoggo.net

project-woodwork.com

lasvegaskosher.com

elionimali.com

cozystylekobe.com

baiyizhao.com

djaimevargas.com

getshop.today

chikkadee.com

historicnortherncolorado.com

artofbrandstorytelling.com

robinsonscommunitiesph.com

petfriendlyrentals.net

dolphinsdragonsanddinsoaurs.com

phucquangphat.com

charitydigitalnetworks.com

czhuiyue.com

thetripletwomethod.com

harvestexcitementonline.info

Targets

- Target
  
  RFQ_SMK_2020.exe
- Size
  
  252KB
- MD5
  
  92eeab6ae27f7e8ebd78d6ab90f43c28
- SHA1
  
  74edeb5d49e3ad3ba7d790587cb11e41c448934e
- SHA256
  
  a292d3bcad4d1b89f818b84b070e269ed683e1f22a09209c4943c1693cb12d58
- SHA512
  
  ae5a0bde88ab4073f4b1e18948db6b8b1a11306ee75e072125caef5ed9641c442c73bc24dd4fa6c22b4840a42bdf48081690719d00dbcd8226f8dd35d596a44b
Score

10^/10

formbook b0y persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2