formbook | d28a86bcfc1a16880fcf3e42f04a4a840f92086ae386d180a5c22e7f354c74a3 | Triage

Submit
Reports

Overview

overview

Static

static

Payment Slip.exe

windows7_x64

Payment Slip.exe

windows10-2004_x64

Sharing

General

Target

d28a86bcfc1a16880fcf3e42f04a4a840f92086ae386d180a5c22e7f354c74a3
Size

199KB
Sample

220521-nqqh4ahbdj
MD5

62cb528f84fda91308364f6c535f5dbc
SHA1

4a1f614c76bfbd52c37c5f742cf64e6c6b314f0f
SHA256

d28a86bcfc1a16880fcf3e42f04a4a840f92086ae386d180a5c22e7f354c74a3
SHA512

4929d8991a638e28ad8b2989d192c9551eb5aec46449e0963af469581f229bae54dc146bf132f3f4ec44e07b2fd3350b2833c8af0929ccfe442e1a2b482fa68b

Score

10^/10

formbook kfr persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Payment Slip.exe

Resource

win7-20220414-en

formbook kfr persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Payment Slip.exe

Resource

win10v2004-20220414-en

formbook kfr rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kfr

Decoy

pensight.com

in4rac-acc3es-re7unds1.com

iznjreb.com

globalqled.com

njzscy.com

763bifa.com

coinpatent.com

tipsfoorti.com

lukusabusiness.com

tokaminerale.com

jinshavip74.com

idbcc.com

maxfacto.com

graffititheworld.com

connecticutwatercooler.com

matroofing.com

route-ceram.com

redwaterservices.com

bracifyritugupta.com

discoverfrenchtown.com

calaveraskull.com

0pe158.com

callflakes.net

exploremoreco.com

artisantilecompany.net

bestoffunmovie.info

cafecondani.com

lovelaceboutique.com

zsupplements.com

cerecaustin.com

myquiz.win

netgrowthstrategies.com

qk9four.loan

skew.market

topnotchhardwoodflooring.com

berniesofly.com

oneworldrentals.com

enradex.com

mining-journal-30.com

mylifestylebyclem.com

ecomobilecarspa.com

xarkz.info

macdesarrollos.com

1818zsw.com

cheryllovesthesun.com

431man.com

healthylifeteamonline.com

t1xh7.com

lyitrc.com

digitalassets.network

sacrificant.men

jpbtestsite20.com

doneasa.com

huntsvilleguru.com

californiaautodealerlicense.com

retireinyourstyle.com

donelis.com

jyothimusicalband.com

oracle4business.com

kingcash.money

market-play.com

permatabnet.com

majorcoding.com

zepi.ltd

howcuty.com

Targets

- Target
  
  Payment Slip.exe
- Size
  
  278KB
- MD5
  
  e2ac3d9facc2259a85c66087ff0b6a85
- SHA1
  
  b592f4eea4d6632f6f543c75d71c4749e8aa8b69
- SHA256
  
  370f3e9f42d074cd9575a0fa8df285e970dda741ae4200b54fb53f0a3145369e
- SHA512
  
  226bf723fc4094cf2ac6ca74ff9fdefc0daebe90de2d905b0b9c7acae8c9d3e3956c17f1df80d736bb2bae094d075d307c05534485eae6c51575b2939261ae4c
Score

10^/10

formbook kfr persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookkfrpersistenceratspywarestealersuricatatrojan

behavioral2

formbookkfrratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy