formbook | 877df31644a31293d6046a85562fba4298e69598f862c38db8f2c68ca75bf783 | Triage

Submit
Reports

Overview

overview

Static

static

Advance TT.exe

windows7_x64

Advance TT.exe

windows10-2004_x64

Sharing

General

Target

877df31644a31293d6046a85562fba4298e69598f862c38db8f2c68ca75bf783
Size

196KB
Sample

220521-nrwrhahben
MD5

911ce26eb8199974cd4fa3c1f0ca07ad
SHA1

ebee3f6cda96cfef1b7f83550111f04754ef127e
SHA256

877df31644a31293d6046a85562fba4298e69598f862c38db8f2c68ca75bf783
SHA512

7ec27bf0a0a9c2af899e0a0c8dcdf72133b0f82a84a927e93a2544fb8316b4222a80a83c553793285cb76222ddac63cc58dfe40876698a14142f055209a441dd

Score

10^/10

formbook kfr persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Advance TT.exe

Resource

win7-20220414-en

formbook kfr persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Advance TT.exe

Resource

win10v2004-20220414-en

formbook kfr rat spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kfr

Decoy

pensight.com

in4rac-acc3es-re7unds1.com

iznjreb.com

globalqled.com

njzscy.com

763bifa.com

coinpatent.com

tipsfoorti.com

lukusabusiness.com

tokaminerale.com

jinshavip74.com

idbcc.com

maxfacto.com

graffititheworld.com

connecticutwatercooler.com

matroofing.com

route-ceram.com

redwaterservices.com

bracifyritugupta.com

discoverfrenchtown.com

calaveraskull.com

0pe158.com

callflakes.net

exploremoreco.com

artisantilecompany.net

bestoffunmovie.info

cafecondani.com

lovelaceboutique.com

zsupplements.com

cerecaustin.com

myquiz.win

netgrowthstrategies.com

qk9four.loan

skew.market

topnotchhardwoodflooring.com

berniesofly.com

oneworldrentals.com

enradex.com

mining-journal-30.com

mylifestylebyclem.com

ecomobilecarspa.com

xarkz.info

macdesarrollos.com

1818zsw.com

cheryllovesthesun.com

431man.com

healthylifeteamonline.com

t1xh7.com

lyitrc.com

digitalassets.network

sacrificant.men

jpbtestsite20.com

doneasa.com

huntsvilleguru.com

californiaautodealerlicense.com

retireinyourstyle.com

donelis.com

jyothimusicalband.com

oracle4business.com

kingcash.money

market-play.com

permatabnet.com

majorcoding.com

zepi.ltd

howcuty.com

Targets

- Target
  
  Advance TT.exe
- Size
  
  254KB
- MD5
  
  8a749626808c84035d23f56f95e8c2b8
- SHA1
  
  94870526b249acfe3f381387ba0f089c3598424a
- SHA256
  
  e6b120648d35809064107c751c61d73fd05aede9884be730c60dd4fe9a4ead0e
- SHA512
  
  d6e0835117436502f359900b800410d0f8b28937740be5a618a3993f1e0007947e914afe88f9cc1dbf5d1590ac7b554a586547692ac0511d86b2ffa540c1a97f
Score

10^/10

formbook kfr persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookkfrpersistenceratspywarestealersuricatatrojan

behavioral2

formbookkfrratspywarestealertrojan

© 2018-2024

Terms | Privacy