formbook | 33b1ceb947efe5ce7ace07a0790c5ff4eaf7f2b0ee78dafdbeee51c7df1322ce | Triage

Submit
Reports

Overview

overview

Static

static

SWIFT DOZNAKA.exe

windows7_x64

SWIFT DOZNAKA.exe

windows10-2004_x64

Sharing

General

Target

33b1ceb947efe5ce7ace07a0790c5ff4eaf7f2b0ee78dafdbeee51c7df1322ce
Size

358KB
Sample

220521-mzt27scgd4
MD5

0a7efc3b912f71df3e25b61c35307300
SHA1

9c2e0dff2a7e72b3371b7d9e3c0bcf852dbf1721
SHA256

33b1ceb947efe5ce7ace07a0790c5ff4eaf7f2b0ee78dafdbeee51c7df1322ce
SHA512

cacf415994cd083dc07ab97fd7213e4c5e1beeeba1b3f843b2ea1d0ce6bbf82e28917db148c7025d0667adc34f0a0df20970e6b2fe2967caa4b7aea1b74cc7a4

Score

10^/10

formbook n7ak persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

SWIFT DOZNAKA.exe

Resource

win7-20220414-en

formbook n7ak persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SWIFT DOZNAKA.exe

Resource

win10v2004-20220414-en

formbook n7ak persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

bazarmoney.net

librosdecienciaficcion.com

shopmomsthebomb.com

vanjacob.com

tgyaa.com

theporncollective.net

hydrabadproperties.com

brindesecologicos.com

sayagayrimenkul.net

4btoken.com

shycedu.com

overall789.top

maison-pierre-bayle.com

elitemediamasters.com

sharmasfabrics.com

hoshamp.com

myultimateleadgenerator.com

office4u.info

thaimart1.com

ultimatewindowusa.com

twoblazesartworks.com

airteloffer.com

shoupaizhao.com

741dakotadr.info

books4arab.net

artedelcioccolato.biz

tjqcu.info

teccoop.net

maturebridesdressguide.com

excelcapfunding.com

bitcoinak.com

profileorderflow.com

unbelievabowboutique.com

midlandshomesolutionsltd.com

healthywithhook.com

stirlingpiper.com

manfast.online

arikorin.com

texastrustedinsurance.com

moodandmystery.com

yh77808.com

s-immotanger.com

runzexd.com

meteoannecy.net

joomlas123.info

Targets

- Target
  
  SWIFT DOZNAKA.exe
- Size
  
  655KB
- MD5
  
  af3108b6d0e79e10bbe7d41569329242
- SHA1
  
  f0664a4be7c9b187f441912c342466d1f1952b84
- SHA256
  
  85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
- SHA512
  
  7f62d22804daf98e2ccc7176834f089aafca465e7f971eb9f64720003c57dc7888eddb709bfd4858ced5ab6261a220d610c47e0a6a31c2f296adb32ad5bc8180
Score

10^/10

formbook n7ak persistence rat spyware stealer trojan suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

formbookn7akpersistenceratspywarestealertrojan

behavioral2

formbookn7akpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy