formbook

General

Target

022b6cac20df5a22b26fb3f4f954117589b2a34cf0cd0b0fcc7fc74f742d4ae2
Size

256KB
Sample

220521-pp6z5abaam
MD5

cdaeca77bfa3e8ab43f8b8505d0f19c5
SHA1

0d7773f8f7fee4eafb15c66399beb605beae166c
SHA256

022b6cac20df5a22b26fb3f4f954117589b2a34cf0cd0b0fcc7fc74f742d4ae2
SHA512

68c0b5ce80a0b83a91fcf376bda3811612eb95934efd594a99110e3e5c71e62dd13babd40367be99a050725e461f56ed84142f072921d9dd459c5e6cbfca5eb2

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

Targets

- Target
  
  PO66535.exe
- Size
  
  305KB
- MD5
  
  a33117822e49edf3dcef2e4cebc88dee
- SHA1
  
  e6fff97e4976ee885bed6e410d9791e1ddd09068
- SHA256
  
  ed4c5975dd2434b8e58a71a521021e8fbde3540c76a2518f627571311ad4e4df
- SHA512
  
  b5947a7ee1161510b62518770ed53dbc2a9b3fd82441eebbb30ef4d8969cffa7ae192e9b27d93ead0c13a7a49a9b57223f933f66ab8fc90bfd4a424fd144a425
Score

10^/10

formbook q5e persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2