formbook

General

Target

6674ae975b8079fd9edf1293d718d54070dff7dce7b36812726e3ce7b6ffbba1
Size

257KB
Sample

220521-nxxkzshddk
MD5

afbdcb9ec0052ee638733715b0e248ca
SHA1

e50a189c1249b43c33899f1c9c98a059508666cc
SHA256

6674ae975b8079fd9edf1293d718d54070dff7dce7b36812726e3ce7b6ffbba1
SHA512

99e0d0c376b30ce1ad5d75e3193a444e41ce58cce885e52e67fbb0aeb51dd39738d1531e05e6f089894699f6a0029591c7f0834da2d2a3075c51a1d1c2171d43

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gw8

Decoy

congcuchocothethongminh.com

innoventerior.win

rajatickets.com

9ccoin.com

sz-prf.com

xhtd680.com

ronaldcliftonstovall.com

litecoin365.com

cheekywebhosting.com

smartfuture.tech

medjournal.today

tasosmanis.com

tz69999.com

smashmountainstudio.com

antesalarrhh.com

lvtingzx.com

wishingflowercrafts.com

portathemovie.com

pojokkemasan.com

laurie-rubin.science

Targets

- Target
  
  Shipping Documents and Invoice.exe
- Size
  
  385KB
- MD5
  
  6dc7c43be83d4b6b2e214e5bc28330b5
- SHA1
  
  9663d0ca118c935428b19e254ce1c2da03439e32
- SHA256
  
  b49e31db6107c37ac7f40732102d9b574f9bdcafbc227d22122a527e5142e9e4
- SHA512
  
  1c7961adea4f5006bfe60d89bbeecfad49dd3ae22adedc1230cec36508a1ce5008cef34c4c91a7b0df2a32b9f627f71872e892ccea64909596d02918d66fa187
Score

10^/10

formbook gw8 persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds policy Run key to start application

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2