formbook

General

Target

3dc9242174f1a2ab0c304d3cc5ab7e5ba900f252c7f1bef2b408174517070869
Size

475KB
Sample

220521-n7czbsegb8
MD5

54549d3228636cd5c86aa545dc686080
SHA1

5c00881d94927c9fba937ef2d0d18775a9a9ec3f
SHA256

3dc9242174f1a2ab0c304d3cc5ab7e5ba900f252c7f1bef2b408174517070869
SHA512

0b1f5a26434361bbb1163f2127a0295941f0b9a74a09e968ca905c0bc2ec064792b6a42e4f7fad6c7bd38e1ce86fa6a30b5e717872a40766fb8f39cfcc3478f8

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cuzy

Decoy

qytzkd.info

cotils.com

globl.photography

kczyzc.com

aero-re.com

k2centrope.com

gmiecuador.com

plufacile.com

hdlivewatchtv.com

hormongefluester.com

taarufnikah.com

extremecoffeemachine.info

jobnavio.com

duihuanji.com

buyspotifystreams.com

dieteticienneetgourmande.com

calmcreativebox.com

eletriking.com

shenzhu3.com

bis-en-ligne.com

Targets

- Target
  
  UVMXBIMGPQmBopg.exe
- Size
  
  532KB
- MD5
  
  57922b4e9d102a43d8758ba35df42969
- SHA1
  
  b175108ff8d06e71ab8fc22e2504891b9838015b
- SHA256
  
  85915cd56ea653449e15a3f3b393bf398c1135221139d75a5349b51831413937
- SHA512
  
  028a8d9607ec8c638900b7e8988ff5ad91fbec9291a95862dcfdb0842d63128a6c0a67dff5ff99788a972f64bbb4a9cf67e9d3ad821a8f7c0675b730c448d653
Score

10^/10

formbook cuzy persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Formbook Payload

Adds policy Run key to start application

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2