formbook

General

Target

5137d8d8948d56882e128735f0ad7ae812700cb3a3aad8778c68196657d094a5
Size

256KB
Sample

220521-nslb6aeag6
MD5

620d3545a4f093b696e3653d26f2b1fc
SHA1

2991504082225cd60b25ad25c2113a3088a37d5d
SHA256

5137d8d8948d56882e128735f0ad7ae812700cb3a3aad8778c68196657d094a5
SHA512

a3e354171fd221bd4138edd4cb1702b161ed7024b10e164baa88d089abcc9ab3f7d5b7f06b1eabfe7316de9dd13e55493af228bc3df19c1c72080fb4f49cf9a8

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dmr

Decoy

thietkewebngay.com

fdgre.com

silverbuzzer.com

d55105.com

ccc693.com

diptya.net

oleasalon.com

vjvtjkic.biz

edmsociety.com

siyahmaske.win

lmnp-occasion.com

platocosmos.com

fakua.top

albertabarricade.com

kakaninrecipes.com

bestsmokeapp.com

hotelsitaly.online

brewtopiaapp.com

1q1twoother.men

wwwmaharashtratimes.com

Targets

- Target
  
  017-08.exe
- Size
  
  524KB
- MD5
  
  cf1749c2777e77ea56d55148cf96f939
- SHA1
  
  d773b5765fea2e2ccc65a1b3cdce92acbf111796
- SHA256
  
  8e2f9a1b23ade94b0803ea57ac92e916daad73d760f075fed8f1443715104531
- SHA512
  
  9218ad6ac387daed149ccbb4824cb25e67b307fd7e4eb1bb8872da2181039a057bf6bd134247b1bcca2c75f9f8d035def9fabfa12e9624692b929f28eb95e511
Score

10^/10

formbook dmr agilenet persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2