formbook

General

Target

4d58860b5ec12cfdf4e20a5aad49b6c607e5f6a19f0a9b6514a2f081d0cbce42
Size

948KB
Sample

220521-pe4r1saddp
MD5

642fdd4f91b76481b577dc03aba6150f
SHA1

47e4c592a69a8ed9bb57ab3db8391570db695ede
SHA256

4d58860b5ec12cfdf4e20a5aad49b6c607e5f6a19f0a9b6514a2f081d0cbce42
SHA512

9db522127c60278571fc8b43ff48e507a4714b5466dc187bf0c8dd406079df3f6593465eea46a646101dd05c0548c3634509f73684194bd6aba57d2aeb4c7f25

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vcd

Decoy

lacittauniversitaria.com

godsdigger.info

stxfwj.com

sing-uk.com

crazyedu.com

sunchermical.com

cocaparis2024.com

ahazm.com

li021.com

bizzspire.com

jb-o8y.com

ssconlineadmitcard.com

merkled.net

nesaraconstruction.com

viba.ltd

rasshoferconsulting.com

slingersdlbrbhjs.download

higgins-plastering.com

prostickusa.com

szryyl.com

Targets

- Target
  
  quote108.exe
- Size
  
  1.3MB
- MD5
  
  da64fb838cf3e807f83bedc61659574a
- SHA1
  
  dace8b92ed4181ea1959aa42edb94d11e71fe47a
- SHA256
  
  f17cee91692c671592aa451fea1c86090f9ff613dfad84a5e7f17c18fe939e1e
- SHA512
  
  d73e152e30b2b64fd25de87cee3f8baa4df42f19c2a71b6c51e21a9d4c95e2b4e8cbb119b7921702e1b0746bf88cfdfbe79b24c87913d0815562677afb3d2aeb
Score

10^/10

formbook vcd persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds policy Run key to start application

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2