formbook | 4c004822cd78deb55cf3ed841a087538288bb3ec95558ef0e2b5d644c98613b1 | Triage

Submit
Reports

Overview

overview

Static

static

Purchase O...df.exe

windows7_x64

Purchase O...df.exe

windows10-2004_x64

Sharing

General

Target

4c004822cd78deb55cf3ed841a087538288bb3ec95558ef0e2b5d644c98613b1
Size

310KB
Sample

220521-n8kessegf9
MD5

0a20f8f392937693b8b163fc958b7cbf
SHA1

3f5d01ae44674d52190736fea15a574a3a174656
SHA256

4c004822cd78deb55cf3ed841a087538288bb3ec95558ef0e2b5d644c98613b1
SHA512

c9e7829f69a54338f63dc493e68ef5640d450c18baa1e21686a1868680a3a7a6eac9900ad341233f2312dab02306661c624cd859249cb177536ff363cd1ad461

Score

10^/10

formbook 4vx persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Purchase Order.pdf.exe

Resource

win7-20220414-en

formbook 4vx rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Purchase Order.pdf.exe

Resource

win10v2004-20220414-en

formbook 4vx persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

4vx

Decoy

kontinuer.com

outofthebluelove.com

docentrood.com

emowm.com

jsa862.net

kshoworld.com

kumsalkorel.com

adrigh.info

goldentrianglerv.com

youkuy.com

lindaclijsters.com

audreyfarley.com

alasitter.com

uscar-boerse.com

successwithfletch.com

474opebet.com

xjlfb.com

doingworkabroad.com

0pe864.com

ittestperfumeok.live

newfaith-ministries.com

longfellowpurebreds.com

aeroclubcrema.com

lifehandson.com

diamond-distinction.com

miaowbid.info

chicagorefinanceblog.com

news3033.com

jllsjl.com

tianshidaxue.com

wenbuwen.com

helpme.science

manulifeindonesia.online

407motorcars.com

tuneinchannel.com

chrisbuie.com

e-karta.online

haohuofenxiang.com

boav75.com

dovu.ltd

countryhomecityhome.com

klmloanservicing.com

jwxqfx.info

allaboutrosalilla.com

550315.top

giuongnguxuatkhau.com

ambassystyle.com

someron.com

ghplhose.com

blogwithapurpose.com

spermbank.men

taveon.com

danceyourability.com

chuangxingcn.com

ksvvu.win

xn--6cs32cp56d.com

tediapowell.com

avayqk.info

promotemeentertainment.com

tuhfa-gallery.com

superyachtprojectmanager.com

leisterheating.com

themercantileshop.com

youpinyoufu.com

joomlas123.com

Targets

- Target
  
  Purchase Order.pdf.exe
- Size
  
  385KB
- MD5
  
  00d7241de149d6511579e6d5ad7974ec
- SHA1
  
  0257125b4e77f3dffeb21709a39668115015c0b8
- SHA256
  
  575cd2d06aa99a48ed59b412bb87aba3b3e3cd66093c7f9efd118bf533032ba3
- SHA512
  
  bfad300716c91bc0559d0f4cb16e361e39646b67d2651a50e67415ba7a28daf687310bdfb3dca6d2113c7c3fc6f5077921c4949a692fbcf62c703cd675921450
Score

10^/10

formbook 4vx rat spyware stealer trojan persistence suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbook4vxratspywarestealertrojan

behavioral2

formbook4vxpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy