formbook

General

Target

f103740fb52ede21a83869422e975388b8d8465d67cac671b92b4146c57dab20
Size

564KB
Sample

220521-ntzwyaebc9
MD5

036509dc1fd86333d36fffdda5500260
SHA1

a3898faec4e318d5ddeaee44a87cb85105d87a12
SHA256

f103740fb52ede21a83869422e975388b8d8465d67cac671b92b4146c57dab20
SHA512

bfbfd66998d7d24a2af3c72d08185abf96518ccb01b9298196ba8e3cbab8123db8cba81d7372922c4a5c38920c778aaf660040c5e10525cbafcfcb75c931df53

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Targets

- Target
  
  Attached is the new order, mecano group.exe
- Size
  
  1.1MB
- MD5
  
  727396a68b9b5cbf700d7b948db6d830
- SHA1
  
  bd50594103f8554d8e076f0cc3a5a65c95586bee
- SHA256
  
  ca1d053d41842ab4052e83f395cfef43d3b79f16a5c437fbfcc10fef27c97ca8
- SHA512
  
  a1a1129d9630a3731daaf22bf67baa655bf8026da116e69d008641e9697dbaab9ac78a6a2c5acdeb733df64c8a343c88ef822adf07ace41cf95fbb64d8c0f3df
Score

10^/10

formbook 3nop persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook Payload

Adds policy Run key to start application

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2