formbook

General

Target

0eecbd1cfe11cd04f57f0df6928d2a9994d8bdddf0e52dbc3629481fecb115ee
Size

218KB
Sample

220521-n7ywssege3
MD5

e1275647a9c95b457b73ef9466349c2a
SHA1

209d6434a2d43ec3597ce1bbab4481b2c9adac07
SHA256

0eecbd1cfe11cd04f57f0df6928d2a9994d8bdddf0e52dbc3629481fecb115ee
SHA512

d7632321bafb832ee7e54576df8489a44720ca807261b1d3414ff9b6ab25ebe10e158b834c9003b57f9ec5373f04721dadd9a8ff098f00e77a9365c8478f7cf6

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

jb9

Decoy

cloud-medical.com

maximtech-bd.com

3d-sprint.com

624vhw.info

nexdesk.net

flxcustomsigns.com

gvuzejobxa.info

xiaobaokm.com

565mt.com

servicioscuery.com

500360.biz

stephanieshermanart.com

boozebird.com

merckcousa.com

frenchkissldn.com

lucyfaulknerllc.com

egekartus.com

bookyabber.com

cardiacimaginginpractice.com

deucessound.com

Targets

- Target
  
  DOCUMENT AWB_844790342632_pdf.exe
- Size
  
  288KB
- MD5
  
  91a124938062fac6e7682b55fd314413
- SHA1
  
  f36bea3ccc4a93290456aaf31bf2bdc2d594a05e
- SHA256
  
  01214bebe6eb99ea6540145d7ad3e5f5a8a11691610be73aa24dc1107a71e360
- SHA512
  
  b1a11c0a3ef61c0e5243a5b2581adc7e937a67ce6f5dac1bb0dbed734742df8475eb03fc396a77ed81c3559aff82ad989ce9ed2f20019561e75e9172dc06a644
Score

10^/10

formbook jb9 persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds policy Run key to start application

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2