formbook | 564cf035463b7a4ddcb4bb4821ff47742e9fcd7e0764503b4fbeb87242c22fbf | Triage

Submit
Reports

Overview

overview

Static

static

STATEMENT ...TS.exe

windows7_x64

STATEMENT ...TS.exe

windows10-2004_x64

Sharing

General

Target

564cf035463b7a4ddcb4bb4821ff47742e9fcd7e0764503b4fbeb87242c22fbf
Size

383KB
Sample

220521-nsgzqseag2
MD5

1d2adad8e2b1e050e58634ee5147a684
SHA1

ccfc606f8de4539afc2c400100fe2cb6f3acd0a2
SHA256

564cf035463b7a4ddcb4bb4821ff47742e9fcd7e0764503b4fbeb87242c22fbf
SHA512

4953c6dffbe7193337b1d59dbf18a7aa5b4055c1f330b1eed3d1437b5e33c1dffa229b5effb2a5c97eaff0cd12867ee3fcdacdbcb4b49bd997803147e30f17ee

Score

10^/10

formbook nfl persistence rat rezer0 spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

STATEMENT OF ACCOUNTS.exe

Resource

win7-20220414-en

formbook nfl persistence rat rezer0 spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

STATEMENT OF ACCOUNTS.exe

Resource

win10v2004-20220414-en

formbook nfl persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

nfl

Decoy

giacamp.net

qb51.party

mashalevine.com

russiasexdating.com

jitangyy.com

morockin.com

karoreiss.com

tractionhero.today

bienvenueenprovence.net

stormharbour.info

61999h.com

tryandcert.com

bestwaytosuccess.com

laobaochang.com

otomatiktente.com

rehpb.info

ivpdqb.info

dc-wv-wv-ie-q.com

goingmagic.com

cimachain.com

northernengage360.com

wastewatertreatment.systems

coinopy.com

shoudami.com

mobilbahis.world

qshkr.com

okccashforhouses.com

mattressesspot.com

fyou168.com

131bb6.com

browserangel.net

transliberte.com

bakir-sulfat.net

rossilawfirmny.com

timothy-kwan.com

sdhtxj.com

affluenttoronto.com

profile-lord.date

77eb0l.faith

worldcup.city

nytimesnews.net

sarahdigiulio.com

343manbet.com

archeryunion.com

bullitshield.com

wzhan.ink

thehamzas.info

fyrwrk.net

klassy-kinks.com

bolttorquechart.com

willingcake.com

mohameddarbal.com

e-chicha.com

healthyperfection.com

steklonti.com

beauxtaylor.com

186524.com

libertybarracks.com

urban-compositions.com

michaeljlee.net

planovafg1.com

merrint.com

416thencomassn.com

xn--2j1b95kqybe0ioxir3sl4c.com

salomdy.com

Targets

- Target
  
  STATEMENT OF ACCOUNTS.exe
- Size
  
  464KB
- MD5
  
  bbb834f13790a853aafd0d0adab527f4
- SHA1
  
  8b20c41d9c082642d9d7c858105d224b81f6fdc2
- SHA256
  
  c1b2a36d08dfb9bc18d53112299e6cef0c5057885918a4485b8f1b87a20d709a
- SHA512
  
  68303db868b5bf9897e636caf946c5dde5cf28e0590649e1f8e4b0e998eb7c1ea599b87c95f6f7361effcf6fb04737168ed15d9aad95e77acae3dfb619cfe87b
Score

10^/10

formbook nfl persistence rat rezer0 spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbooknflpersistenceratrezer0spywarestealersuricatatrojan

behavioral2

formbooknflpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy