formbook | d4debc692c46662beafe17cfe99f61ef6df421baf190174620458926bebfd080 | Triage

Sharing

General

Target

d4debc692c46662beafe17cfe99f61ef6df421baf190174620458926bebfd080
Size

310KB
Sample

220521-pe1qcsfbe8
MD5

371b7e70c8134b949bdd9316ee0836f2
SHA1

a47010df85acba58c8c587c3ca28ca0f5821ab61
SHA256

d4debc692c46662beafe17cfe99f61ef6df421baf190174620458926bebfd080
SHA512

bf747967cf4785727f9d49228d2b2cc75af1ad7bd04a9841ac49695ff254b9881cad957ac119246cd8a3840ba9f725d27e88516130169cd2369aa3d293e0558a

Score

10^/10

formbook i0qi persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

i0qi

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Targets

- Target
  
  Purchase Order 564537737 May.exe
- Size
  
  411KB
- MD5
  
  bf15960dd7174427df765fd9f9203521
- SHA1
  
  cb1de1df0c3b1a1cc70a28629ac51d67901b17aa
- SHA256
  
  9187706072f008a27c26421791f57ec33a59b44b012500b2db3eeb48136fb2da
- SHA512
  
  7e8b9907233234440135f27ad813db97e20790baf8cb92949ae9185fa09cb4b7b0da35b6da2b33f3ac64a33545f32f959d90d73f7a6a4f14988c8ac3fd005074
Score

10^/10

formbook i0qi persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbooki0qipersistenceratspywarestealersuricatatrojan

behavioral2

formbooki0qipersistenceratspywarestealersuricatatrojan