formbook | 1e74c1eeb3cc1017ad88de0588d82b31fa5b0de826f4555a77bfbd9f1265dd8f | Triage

Submit
Reports

Overview

overview

Static

static

Anekgroup Order.exe

windows7_x64

Anekgroup Order.exe

windows10-2004_x64

Sharing

General

Target

1e74c1eeb3cc1017ad88de0588d82b31fa5b0de826f4555a77bfbd9f1265dd8f
Size

449KB
Sample

220521-n7q6yshhfn
MD5

b11c74fe738b935d1d90ad905c5ac046
SHA1

39f2051d20c1d8463e47da0ecbc9987c7c358128
SHA256

1e74c1eeb3cc1017ad88de0588d82b31fa5b0de826f4555a77bfbd9f1265dd8f
SHA512

fc58a4b6e3b64bcb803a4fdff220c81275e263ee541641bc6d3f2e4321e8832437a502be4b2220db23fbd190209acd6dddfac3dded319e7a4a8abb7d883153e4

Score

10^/10

formbook xwqs persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Anekgroup Order.exe

Resource

win7-20220414-en

formbook xwqs persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Anekgroup Order.exe

Resource

win10v2004-20220414-en

formbook xwqs rat spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

xwqs

Decoy

miracledynamic.win

farshadzandi.com

cruisesociety.site

alluredecorate.com

topseptictanks.net

goodguysblogblack.com

xn--80aaexkk3ad8c.com

manbet22.net

ristohotelcastellani.com

vesinhvinhlong.com

fashion-phoenix.com

iferrara.expert

sellyourart.gallery

hayatmag.info

serafimasflowersparadise.com

4p1o3a.biz

maidonline.net

kuntaijinrong.com

makethebreastpumpnotsuck.com

europeansmartcapital.com

familyfolktales.com

thetowing.world

zulemalabra.com

yennyso.com

asmnb.com

aryabhisak.com

taqueriaelherradero.com

ilovebuz.cricket

streamone.studio

othreport.net

xvyhhx.download

stratz-consulting.com

flangeroofs.com

aspiresuccessconsulting.com

ohiorecoverypros.info

xn--igt54izq0a.com

mojzesz.email

ecosnus.com

robocroft.com

secengine.net

thczepam.com

studiopenelope.com

chrisrubino.net

immogecheck.com

pier39.news

studentcreditcardreviews.info

plombest.com

04sbw.com

vonkeppel.com

pastecolor.com

boot-kik.com

comegetsomevoip.com

arttextileduverdon.info

bestworldwatches.com

dimasjts.com

offerberg.com

cqchidu.com

luxeladybee.net

turismosaoluis.com

jubfps.site

bobandbertie.com

1i0fourapple.loan

pushinglovely.com

abacusfinancialgroupinc.com

mansiobok3.info

Targets

- Target
  
  Anekgroup Order.exe
- Size
  
  494KB
- MD5
  
  d2b789d2c98252774eb46369c122e862
- SHA1
  
  79d2d76e879bf3dc2d9c5c748fd69c37ce6c3d16
- SHA256
  
  823f72e280224715e6d4f7fff1f792d2c372d7633eab250f2308325eff114c18
- SHA512
  
  e2b217874575571d6159a35cc34be34de1ba078e17084e5965f56e4066b6ca8acbdf1bf40d4a30ed5c21a0716baa308778af1fdd02f2bbd1d9f7a036d44b1d84
Score

10^/10

formbook xwqs persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookxwqspersistenceratspywarestealersuricatatrojan

behavioral2

formbookxwqsratspywarestealertrojan

© 2018-2024

Terms | Privacy