formbook | f3d00f6b1e78ee064a9d0284a926a86badb7da7f5a082da8dbe905ae32117f07 | Triage

Sharing

General

Target

f3d00f6b1e78ee064a9d0284a926a86badb7da7f5a082da8dbe905ae32117f07
Size

307KB
Sample

220521-nyg7paecf9
MD5

17d1269c9c0e60b60c4a25ba53d28270
SHA1

5c75cbe1f2d184aed038cfb1aa9561a0b8687d5f
SHA256

f3d00f6b1e78ee064a9d0284a926a86badb7da7f5a082da8dbe905ae32117f07
SHA512

31e0234a780bf9213b284eb47857ba033ed7267b8048fc9f25a64a9a6a7b46dae952eb249f3e871acfa553adf4017f43323808e79f9a05cc5acb4157aef75fd7

Score

10^/10

formbook c0w persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

c0w

Decoy

pabloquilca.com

toppayingsites.info

karaokeparty.live

xn--xoq51di8gdwfx2ci32k.com

onceuponalltime.com

fxwumo.info

how2guide.info

tourcaminoinca.com

lillianeppert.com

mychopshop.com

czccm.com

carleillinoismedical.com

ambre-editions.mobi

jigoloistanbulankara.com

florencia.site

bbaa77.com

minersclub.xyz

angangken.com

eleventhhournotary.services

poenbomba.com

Targets

- Target
  
  SHIPPING DOCUMENT & PL.rar.exe
- Size
  
  533KB
- MD5
  
  62d26e6034ee056e4fcbbf1e6470566a
- SHA1
  
  514fd27391c58851624b4700ee486f4dcb1515e6
- SHA256
  
  b801afb5529bee671ee0219b95450122f641260b372695c89d7bdc5c2c227b65
- SHA512
  
  257f440d7de732cd7ccd226cb456da981a104c9f04b5d4af344c3d9435649f5da59da8d553e27d900ff1f8abd1e0857572230b872651e89e934429d08cc42dec
Score

10^/10

formbook c0w persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookc0wpersistenceratspywarestealersuricatatrojan

behavioral2

formbookc0wpersistenceratspywarestealersuricatatrojan