formbook

General

Target

f201f5ed829e08dbd5ccb40533f26010f5c3e75134fc1da3f9ed56eec6077300
Size

237KB
Sample

220521-mz6e8scge8
MD5

15cdaba40d68b1aaaa46e176b94dd946
SHA1

6df51e167bb25b675f0f3b79f2ceb52426ca8292
SHA256

f201f5ed829e08dbd5ccb40533f26010f5c3e75134fc1da3f9ed56eec6077300
SHA512

8cec8b6392b21fdbb04c061c916c9b296547c3ed7fbb0570052ae4163eef10708a72c170f338245c0dbd76167cb35cdc52b35d7304ab6f523a57f806e60b8fab

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mw9

Decoy

buyaii.com

zqdhrh.com

essentialsrefined.com

carbo-notifer.biz

cpahitr.com

westerntreasureseo.com

prowrestlingevent.com

hawthornbanksaves.com

vinhomes2.info

atriumindonesia.com

crunchinessretonation.com

masstorthedgefund.com

stroy-staleks.com

chinamarbleandtile.com

tv16878.info

hasegawa-takuma.com

cuxiaomao.com

umhhih.info

ieml.education

mwvllc.com

Targets

- Target
  
  Purchase order PO045793 from Voile Trading Co.,Ltd.exe
- Size
  
  320KB
- MD5
  
  b02fb2439cd88a5e399683f14d6d80ff
- SHA1
  
  7098d5175626c3bef989a7d0e0344158a752ebc4
- SHA256
  
  c6bed06259f7c50c2b15e8161d5b1fa11690e69a7e5bb3261202debfb7d96708
- SHA512
  
  aff2394e671e8f8b33d7bf5a4444590fb53c74a2f6bc29faf3627a467652f0d2d7f1bd22c420bd46621638ff2849c30be265b71ecce89b14f83a4d68b6cf78ba
Score

10^/10

formbook mw9 persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds policy Run key to start application

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2