formbook

General

Target

aa207e0f5f2bad97d8a0209d6d5b4583ecb32311aba7c6e996125f0a07c11c02
Size

388KB
Sample

220521-mykr5scff6
MD5

03a68b507c40e441b222f8d8a1c1cdaa
SHA1

e9a8896fe4ef5b40f2e1d88b023d527b3044f270
SHA256

aa207e0f5f2bad97d8a0209d6d5b4583ecb32311aba7c6e996125f0a07c11c02
SHA512

6fb94cdc9d0e10bbeea61e8224954b80bfc9fd9eb3ba40132d6927e5b82930370e4ac204c9e6a805212b57acdaaa1d9c490777f37df4f9c5a9b1020d98d6ee32

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

k2w

Decoy

brittanybeck.com

idapple.mobi

sharoncement.win

smerchenko.com

citizenssenergygroup.com

landhawktactical.com

yilingshenghuo.com

lifa97.com

8160pe.com

sf-purify.com

bloomingamaizing.com

thymeshares.com

rainwatercollectionhq.com

jaseba.net

whoistom.net

gn70.com

payperclickad.info

jessicagorbet.com

portlockproperty.com

mindset-beratung.com

Targets

- Target
  
  Aquatherm Rechnungen 384890 _Xlxs.exe
- Size
  
  606KB
- MD5
  
  82015111b3cffed68fee74b525f3265b
- SHA1
  
  e43ae387a8bd5ce994a0529b0e1f0bc6c4ae8af3
- SHA256
  
  49f8b73df45213da0f86e871fbd8d231cdfcc30e7ef8041d38ef062884e47b2e
- SHA512
  
  54d227662a69606f19f23ddea553445f0f0e197928a12f31cbc24864233a63f4ddcab15293567ca051933b3e05180437077ab4b0c3e4895f2b8c39e702db3372
Score

10^/10

formbook k2w persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2