formbook

General

Target

dcb50eb4e606d1db5f3438f67dd8f02a0113eda8319e602bbb7dbaec55a28f3c
Size

236KB
Sample

220521-ny6kaaech8
MD5

0fb952bd7d74a69ac56acdc0fb4c9b16
SHA1

abd505039744cc8e2878cadbe076f4da67f4968d
SHA256

dcb50eb4e606d1db5f3438f67dd8f02a0113eda8319e602bbb7dbaec55a28f3c
SHA512

fb42235f64da8120982379582e5d5af426157ce518fbc38526a5bf119bde711affa7b15512506dba9e7d659deb7dd9a7d64067dd63d567392ef18842eff085fe

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

y22

Decoy

hashafriyat.com

autoaccessorieshub.com

simelautomazioni.com

bulkappothecary.com

streaminglowcost.com

pixelraps.com

yyy9928.com

pigmansion.net

keyunix.com

bjbangshou.com

mindfulrace.com

fibuv.life

cambridgedesignpartnership.com

plumbeus.com

somebodydial911.com

atrishq.com

circcountry.com

ellenandjames.info

jeeprevivalstore.com

thetouchofjo.com

Targets

- Target
  
  Purchase Order 77809 for acknowledgment.exe
- Size
  
  281KB
- MD5
  
  48884ebe9169015be3e42f68ad14d7be
- SHA1
  
  4c0fe63fe5090ed8ac71f3af10dfc84c9b8b0f5e
- SHA256
  
  b36d0b4952457c89f455f2333a815b0a1d7530a108bf43ea0ef1a7c17fe2774b
- SHA512
  
  9258362c161b710264767cb180913c3190c6594961d40d1fdc976babfeeb4494aab31678cc9eb75662bf48e1055c8d62de0c8c9d2f4061e3917afb325c6bc0b4
Score

10^/10

formbook y22 persistence rat rezer0 spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Formbook Payload

ReZer0 packer

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2