formbook

General

Target

fe272bc2bdf59b23e1ff41b5aba9243faa18a92d3a3198924ffeb167e1a4236a
Size

538KB
Sample

220521-mxpppscfb5
MD5

3aad61111eeb4cc361b63a755fddba59
SHA1

214d8458a6e894cdc8a90be008ecc8cd696311ef
SHA256

fe272bc2bdf59b23e1ff41b5aba9243faa18a92d3a3198924ffeb167e1a4236a
SHA512

82d74cdfd5d096ea1772e52ac861161782be2c85b2f35521507efdc3763207422d8f7c66feca180dac21c3b5f9fb60aec5cf17b02ac8227273a1c24191678928

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

hm2

Decoy

vodu.ltd

arauderghem.net

bluebackpage.com

cheapairmaxsaleclearance.com

soldiersofarts.com

fbservice.info

x9e7x7.info

davidhenkel.com

plantrak.net

66sbleiv.com

cartierringprice.com

roupeiroblog.com

thxcn.com

baboondynasty.win

thecloudm.com

everythingreviews.net

zimmermansales.net

movie.kitchen

im.help

geebzor.com

Targets

- Target
  
  009888389998789290000-pdf.exe
- Size
  
  876KB
- MD5
  
  c4dc14e8754c36300ae98fa8b4369a40
- SHA1
  
  9cd8e279dff02db6ffb9199cf6cb4ff5fc07cc37
- SHA256
  
  c303fb93eba5623184f5bfb8fefbea2458e25ead795e6d5c5d5e78e921c6490e
- SHA512
  
  ba4280059eb153941d0c06533542a10d25f5c95c45bbebce620f042560df2557e1eae6ea3a405d6663c9552eb8dc49bb1cfccb2659e834a06fac4587373c7382
Score

10^/10

formbook hm2 persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds policy Run key to start application

Deletes itself

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2