formbook

General

Target

31791ad0d3707ca7ffcc7d970c9a70853fded91505dc019d7f7460a42814317e
Size

353KB
Sample

220521-n3lqnseee6
MD5

219b8eea3a397ce0a31333fa6bae9d46
SHA1

53c9b81ab30ced6032fd110374bafe42ff9a54b5
SHA256

31791ad0d3707ca7ffcc7d970c9a70853fded91505dc019d7f7460a42814317e
SHA512

9d4bd7f6f602e7165c1802c94198ed389b46090db6672abb9a3ad7fe087637230d7a1469501b07bb41e982b8aeaa022890c3fee1f3671c97496b8fbb257dba89

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cfo

Decoy

onebrothkitchen.com

mayitoujiao.com

carnevilfestival.com

journalcase.com

innovatpipe.net

topratedhomeappliances.com

parsian-turkey.com

lucindabinteriors.com

sjtellor.com

spicegive.com

palcoprep.com

happy199.com

haydenwalker.com

txlvyin.com

danielmurbach.com

maisondeyul.net

teamworkalu.com

kitu.ltd

kingfisherexports.com

doggystyle-by-chloe.com

Targets

- Target
  
  RFQ47692762531096734.PDF.exe
- Size
  
  629KB
- MD5
  
  90f4a814fbfb89fab340e578699e5c36
- SHA1
  
  bf152875df107a6529e8c81e753496775dcedcc0
- SHA256
  
  f5d46fa7215a9fbc068c2c7c49ec8156b45d6199cac87e9c08cda6647aa4517e
- SHA512
  
  e7044248d00e5ec4aeb821499d1398ff9c2a022f75058dcc17422ed8d4a93edfcfd9574e72e06e0215f2ae91e4a83579cc17862d05d0204eb65e4e292e29df4b
Score

10^/10

formbook cfo persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds policy Run key to start application

Deletes itself

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2