formbook | 12a2e2cc7cbb6a6596a683724d2eb4b83782589c561b9bcf1f9d4aab0cfe97bd | Triage

Submit
Reports

Overview

overview

Static

static

specificat...te.exe

windows7_x64

specificat...te.exe

windows10-2004_x64

Sharing

General

Target

12a2e2cc7cbb6a6596a683724d2eb4b83782589c561b9bcf1f9d4aab0cfe97bd
Size

379KB
Sample

220521-nxjdcshdbp
MD5

6f4fce5fdfa84fd2f97ac966274e4d53
SHA1

4697f46f8a237340edec0e162e078917ae90dd3c
SHA256

12a2e2cc7cbb6a6596a683724d2eb4b83782589c561b9bcf1f9d4aab0cfe97bd
SHA512

e699963cc6971e3a64b1cd6fd66d83cfe09aa9a65bf29cd4b1659da36e7178886cd7c02de7af9d746c5335c0ae14e7fd79e67821d8ae6e419f97d42683075899

Score

10^/10

formbook modiloader n7ak persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

specification quote.exe

Resource

win7-20220414-en

formbook n7ak persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

specification quote.exe

Resource

win10v2004-20220414-en

formbook n7ak persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

bazarmoney.net

librosdecienciaficcion.com

shopmomsthebomb.com

vanjacob.com

tgyaa.com

theporncollective.net

hydrabadproperties.com

brindesecologicos.com

sayagayrimenkul.net

4btoken.com

shycedu.com

overall789.top

maison-pierre-bayle.com

elitemediamasters.com

sharmasfabrics.com

hoshamp.com

myultimateleadgenerator.com

office4u.info

thaimart1.com

ultimatewindowusa.com

twoblazesartworks.com

airteloffer.com

shoupaizhao.com

741dakotadr.info

books4arab.net

artedelcioccolato.biz

tjqcu.info

teccoop.net

maturebridesdressguide.com

excelcapfunding.com

bitcoinak.com

profileorderflow.com

unbelievabowboutique.com

midlandshomesolutionsltd.com

healthywithhook.com

stirlingpiper.com

manfast.online

arikorin.com

texastrustedinsurance.com

moodandmystery.com

yh77808.com

s-immotanger.com

runzexd.com

meteoannecy.net

joomlas123.info

Targets

- Target
  
  specification quote.exe
- Size
  
  810KB
- MD5
  
  299c603f94babfbb8c3603dd391cec98
- SHA1
  
  eb9c84751d0e0421ee3ec284a2756885f75c8586
- SHA256
  
  65463a82bb20ec1f2d53e93c9e51538d55fff2844c746afc36e7a1c43cce36e4
- SHA512
  
  7c5d3ce7efead015fbafa3eb9578ec79eab4d8661f00d82dc4abc19dc98c7d490625de0118ded95fc39bb6d847c9cbb51ab5860023ff856291c9189d136ffe05
Score

10^/10

formbook n7ak persistence rat spyware stealer trojan suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

formbookn7akpersistenceratspywarestealertrojan

behavioral2

formbookn7akpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy