formbook | b6ca5260fe0d12121268026560ad699cf4f0dadf38b880359a12f283df97fed9 | Triage

Submit
Reports

Overview

overview

Static

static

Purchase O...st.exe

windows7_x64

Purchase O...st.exe

windows10-2004_x64

Sharing

General

Target

b6ca5260fe0d12121268026560ad699cf4f0dadf38b880359a12f283df97fed9
Size

283KB
Sample

220521-pthhbsgaa8
MD5

15a68d0277505a388b3ba0e46d37f500
SHA1

146fb815d165b3b0b160a223e8cec45baf8ea30c
SHA256

b6ca5260fe0d12121268026560ad699cf4f0dadf38b880359a12f283df97fed9
SHA512

e27816105e5663b08bfed137126e04117fc720a8d1c7ba364b4eefae91de29fbebd35f71006203f0b83ad6cd7f2b9014c329c9207841d64ea16e880b1ebe6d8e

Score

10^/10

formbook 3nop persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Purchase Order List.exe

Resource

win7-20220414-en

formbook 3nop persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Purchase Order List.exe

Resource

win10v2004-20220414-en

formbook 3nop persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

capricorn1967.com

meucarrapicho.com

41230793.net

yoghurtberry.com

wv0uoagz0yr.biz

yfjbupes.com

mindfulinthemadness.com

deloslifesciences.com

adokristal.com

vandergardetuinmeubelshop.com

janewagtus.com

cloudmorning.com

foresteryt01.com

accident-law-yer.info

divorcerefinance.guru

wenxiban.com

589man.com

rockerdwe.com

duftkerzen.info

igametalent.com

yoursafetraffictoupdates.review

jialingjiangpubu.com

maximscrapbooking.com

20sf.info

shadowlandswitchery.com

pmbnc.info

shoppingdrift.online

potashdragon.com

ubkswmpes.com

064ewj.info

rewsales.com

dealsforyou.tech

ziruixu.com

naehascloud.com

smokvape.faith

sunflowermoonstudio.com

stepgentertainment.com

tawbj.info

besthappybuds.net

koohshoping.com

ajikrentcarsurabaya.com

jkjohnsroofingfl.com

whatsnexttnd.com

yoyodvd.com

joomlas123.info

Targets

- Target
  
  Purchase Order List.exe
- Size
  
  368KB
- MD5
  
  962eef4cf460292ecc166f2b2fc98823
- SHA1
  
  c666349ef2d17b180d3121954e658d4df231d9e8
- SHA256
  
  61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb
- SHA512
  
  32bc1b69343e11308da5309370e9b97969e4b47bf9c942aae97233b60e2ec6380e0c34a094c3d2260a9d48b1d4d821c8bc89071b10f54eaf27000c0625e715ab
Score

10^/10

formbook 3nop persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbook3noppersistenceratspywarestealersuricatatrojan

behavioral2

formbook3noppersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy