formbook | ca44d4aadf6c7f4120ab51143b5d05a46737ad470cf593c372901ca0f0ee2b2f | Triage

Submit
Reports

Overview

overview

Static

static

9

PG2005005.exe

windows7_x64

PG2005005.exe

windows10-2004_x64

Sharing

General

Target

ca44d4aadf6c7f4120ab51143b5d05a46737ad470cf593c372901ca0f0ee2b2f
Size

354KB
Sample

220521-n9ewpsehb2
MD5

fd2402999d516ef1ae4037db15d7f75a
SHA1

934bb6a6460644ccf60766b6b048b54ff735be90
SHA256

ca44d4aadf6c7f4120ab51143b5d05a46737ad470cf593c372901ca0f0ee2b2f
SHA512

bc9639051edef312944ddf9327655254f3fc7b7dae7b09d936aa56b5d0076a0065224431bb0eef417c3d117285e5ddf87b63c8d8b357a553248a2050b5e3fada

Score

10^/10

formbook ev08 persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PG2005005.exe

Resource

win7-20220414-en

formbook ev08 rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PG2005005.exe

Resource

win10v2004-20220414-en

formbook ev08 persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ev08

Decoy

elysianhomesanddesign.com

emplytics.com

rx-server.com

yunkeguanjia.com

069xke.info

xgltnpzoai.biz

vizebasvurusuislemi.com

willenochhardscape.com

luciovicencio.com

369zhangting.com

dealsamzn.com

epsilontech.net

longzhimy.com

drfenxiyi.com

perfecttiger.win

jon-lisa.com

projeen.com

tpak4.com

telurasinjulak.com

grhcew.men

demirevent.com

haisichou.com

bringwisdom.com

riyadh.school

gzmeijin.com

mtabram.net

lesbiansvid.com

partnersfinder.info

946s.com

houdaoxny.com

brinkpro.online

branchcreekoutfitters.com

xn--xhq8b70l5mk61k1yrvi5c.com

wwwwnsr108.com

neevfund.com

xaxiaobanma.com

nb-yy.net

howtobeafreak.com

qinu.ltd

bolle.network

postnlpakket2.info

leiguan88.com

cabditect.com

xiaohanlin.net

theduangjittphuket.com

abeautyfulmind.com

desheng-info.com

pickafight.email

britishral.com

ee8xhs5kxu.info

devinandcaroline.com

mysupersweet15.com

airport-parking-heathrow.info

jememedia.com

pay-number.com

cleanly.info

footatconstruction.com

yepchain.com

dinroseal.com

descubreelmundo.com

theysaycheap.com

os-sys.net

vailtrappings.com

vitaligentjobs.com

mansiobok.info

Targets

- Target
  
  PG2005005.exe
- Size
  
  389KB
- MD5
  
  3316029db1ea9e093aeb24566210e240
- SHA1
  
  a1dbdaa76bbc5d0617d3ac44074424316c8a5af9
- SHA256
  
  2ed611befc2af97a0bf7bada7f7b53d4f625f99620983252455e675d22021bc6
- SHA512
  
  28403a94f04b50b3c3304306706385fd573e4106a15f7d0a8f03663ae96de63f055dabb2d43823ea73297bd3df34435719326e635f110ccd6377b48efc67cc42
Score

10^/10

formbook ev08 rat spyware stealer trojan persistence suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookev08ratspywarestealertrojan

behavioral2

formbookev08persistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy