formbook | 850028d7e116466f16ff9e1f4539f9fefa1f3ada193f5a584bc055934ac6c89f | Triage

Submit
Reports

Overview

overview

Static

static

SWIFT poli...to.exe

windows7_x64

SWIFT poli...to.exe

windows10-2004_x64

Sharing

General

Target

850028d7e116466f16ff9e1f4539f9fefa1f3ada193f5a584bc055934ac6c89f
Size

503KB
Sample

220521-nv55cahcfm
MD5

fab429aed3688d37c1a8cfc92e946eac
SHA1

816ae0a530f9655e70963cf7af74e12d6263cc93
SHA256

850028d7e116466f16ff9e1f4539f9fefa1f3ada193f5a584bc055934ac6c89f
SHA512

9a01a1c0c2d538eb4ca5cac4c7f100097257e64f85f1ca6a586e0fd1eb08d5d54a1d121932042537a069cf9150cadb08ce1b9cd1e6a217e7c36f2650a06ea8d0

Score

10^/10

formbook n7ak persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

SWIFT polizza di versamento.exe

Resource

win7-20220414-en

formbook n7ak persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SWIFT polizza di versamento.exe

Resource

win10v2004-20220414-en

formbook n7ak persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

bazarmoney.net

librosdecienciaficcion.com

shopmomsthebomb.com

vanjacob.com

tgyaa.com

theporncollective.net

hydrabadproperties.com

brindesecologicos.com

sayagayrimenkul.net

4btoken.com

shycedu.com

overall789.top

maison-pierre-bayle.com

elitemediamasters.com

sharmasfabrics.com

hoshamp.com

myultimateleadgenerator.com

office4u.info

thaimart1.com

ultimatewindowusa.com

twoblazesartworks.com

airteloffer.com

shoupaizhao.com

741dakotadr.info

books4arab.net

artedelcioccolato.biz

tjqcu.info

teccoop.net

maturebridesdressguide.com

excelcapfunding.com

bitcoinak.com

profileorderflow.com

unbelievabowboutique.com

midlandshomesolutionsltd.com

healthywithhook.com

stirlingpiper.com

manfast.online

arikorin.com

texastrustedinsurance.com

moodandmystery.com

yh77808.com

s-immotanger.com

runzexd.com

meteoannecy.net

joomlas123.info

Targets

- Target
  
  SWIFT polizza di versamento.exe
- Size
  
  1014KB
- MD5
  
  324b9c9d6e2ba577e659b7d84852b4cd
- SHA1
  
  9327b4ecb17c2369d312e5d06dc02830611bc7a4
- SHA256
  
  a35a1149597435d58703ab662e49dab5ccc96d77529ebacefcdcf9e298c27e51
- SHA512
  
  1e6729ef067ac27317c95a2de8f94e8e58d03ea6e13465d793de2602a0d74090076a1867544d35ceb6fa880b0047e2338617532e52841d3be0ebd7cc8d142c8e
Score

10^/10

formbook n7ak persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

formbookn7akpersistenceratspywarestealersuricatatrojan

behavioral2

formbookn7akpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy