formbook

General

Target

998054c2fd09143ef422cfb952491ecb0e456c61ae22bbc8ad17eaf3ef2871f5
Size

252KB
Sample

220521-nttd6ahcap
MD5

366a64a3956b641c5601ce3b2eb7d7d2
SHA1

8ee2b69b5db8a63f14447b43c65bda7c6b18537c
SHA256

998054c2fd09143ef422cfb952491ecb0e456c61ae22bbc8ad17eaf3ef2871f5
SHA512

1522af9c07d83e7c8a106d627c8cfe0c7264505370f5b73cfc28c5be4efbd6b7e1189985bf08082c11ac7e0335583402ab346f67a92d541cfc939103d54c48eb

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

23v

Decoy

1l4m-5qeh0cgx9a.com

portsel.com

vypnxg.men

renrenbaoshangcheng.com

hulebang.com

heatburnio.com

amazingthunderworks.com

quantumreapers.com

8801i.info

moonlightmanager.com

bqypm.info

backlinkbarato.com

jiudianhuixun.com

markerbio.net

empety.com

eternalkollection.com

teknoshift.com

petitenobel.net

zlmqv.info

emotionalcontrols.com

Targets

- Target
  
  PAYMENT INSTRUCTION.exe
- Size
  
  335KB
- MD5
  
  68e94fa2a66e2ffcf9d4d45bd927b019
- SHA1
  
  b5d64de2710a3798c621b7974b482f3e584b9da5
- SHA256
  
  48bef4e5d2768c5ccbbc84d922a276484ce75ed236a72441b5148d7a541a52e3
- SHA512
  
  a812d740cf39f170e7a4e2706d79424c52eabbab402dbf901a0d56a8e3c5a6165045745f1209372adafbe9d61d19579d1a84401cd8bc3e75a2712354cd4bc948
Score

10^/10

formbook 23v evasion persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2