formbook | cfd85f7690b503154bad4aed263e953b0b5da84cd8dc8eaa0b99302be53f36d9 | Triage

Submit
Reports

Overview

overview

Static

static

PI Confirmation.exe

windows7_x64

PI Confirmation.exe

windows10-2004_x64

Sharing

General

Target

cfd85f7690b503154bad4aed263e953b0b5da84cd8dc8eaa0b99302be53f36d9
Size

306KB
Sample

220521-ntbt4shbgq
MD5

0c21dacbb9b71985dfb7c8b81c631141
SHA1

7a7f0aa9689232fca86562f77f08b9e1b07db3cc
SHA256

cfd85f7690b503154bad4aed263e953b0b5da84cd8dc8eaa0b99302be53f36d9
SHA512

007e1560ec6aed90707d10dab06b0ba49f388691b95c0db600e09fb053f34794b47f8c26f293611091f227b2628c5f511eb69a11833964592ef95cb283358478

Score

10^/10

formbook ev08 persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

PI Confirmation.exe

Resource

win7-20220414-en

formbook ev08 persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PI Confirmation.exe

Resource

win10v2004-20220414-en

formbook ev08 rat spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ev08

Decoy

elysianhomesanddesign.com

emplytics.com

rx-server.com

yunkeguanjia.com

069xke.info

xgltnpzoai.biz

vizebasvurusuislemi.com

willenochhardscape.com

luciovicencio.com

369zhangting.com

dealsamzn.com

epsilontech.net

longzhimy.com

drfenxiyi.com

perfecttiger.win

jon-lisa.com

projeen.com

tpak4.com

telurasinjulak.com

grhcew.men

demirevent.com

haisichou.com

bringwisdom.com

riyadh.school

gzmeijin.com

mtabram.net

lesbiansvid.com

partnersfinder.info

946s.com

houdaoxny.com

brinkpro.online

branchcreekoutfitters.com

xn--xhq8b70l5mk61k1yrvi5c.com

wwwwnsr108.com

neevfund.com

xaxiaobanma.com

nb-yy.net

howtobeafreak.com

qinu.ltd

bolle.network

postnlpakket2.info

leiguan88.com

cabditect.com

xiaohanlin.net

theduangjittphuket.com

abeautyfulmind.com

desheng-info.com

pickafight.email

britishral.com

ee8xhs5kxu.info

devinandcaroline.com

mysupersweet15.com

airport-parking-heathrow.info

jememedia.com

pay-number.com

cleanly.info

footatconstruction.com

yepchain.com

dinroseal.com

descubreelmundo.com

theysaycheap.com

os-sys.net

vailtrappings.com

vitaligentjobs.com

mansiobok.info

Targets

- Target
  
  PI Confirmation.exe
- Size
  
  669KB
- MD5
  
  39c13f82ae8a3803684959e14772c5b0
- SHA1
  
  5284c7308994dbe3348c320499c3756aeae50f1d
- SHA256
  
  f4c535616a04819e9553cb3dbac66db0021065fb89a5e5c799c0b4eb301fb582
- SHA512
  
  55f7bfbf2cf916bee80d51827fbb8394f97c2fee12c2ea060b52e06b51c996c43bd4475dae7464cce71915e14ed7151dbee23252fb2e6f4046542488d68cf442
Score

10^/10

formbook ev08 persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookev08persistenceratspywarestealersuricatatrojan

behavioral2

formbookev08ratspywarestealertrojan

© 2018-2024

Terms | Privacy