formbook | 81c89c74bd3c21ddf71d0cf01ec2c104e0ec298e6d2c9430f6bb7ddd8e711d62 | Triage

Submit
Reports

Overview

overview

Static

static

New Order list.exe

windows7_x64

New Order list.exe

windows10-2004_x64

Sharing

General

Target

81c89c74bd3c21ddf71d0cf01ec2c104e0ec298e6d2c9430f6bb7ddd8e711d62
Size

283KB
Sample

220521-pv673sbcer
MD5

3b07278f51d5120075a7f5aa240861d3
SHA1

cd347db00e02e886fbc676734bea02efaafe9937
SHA256

81c89c74bd3c21ddf71d0cf01ec2c104e0ec298e6d2c9430f6bb7ddd8e711d62
SHA512

bc8ba07a3917725720df13fd4bef5740f8d521a19b3ed4076bf60d1e4a29fa58ad504d33d26bbf1455038d2ebc1fefaa0204e3c395a6717f00f5d9848f9a4f6e

Score

10^/10

formbook 3nop persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

New Order list.exe

Resource

win7-20220414-en

formbook 3nop rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

New Order list.exe

Resource

win10v2004-20220414-en

formbook 3nop persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

capricorn1967.com

meucarrapicho.com

41230793.net

yoghurtberry.com

wv0uoagz0yr.biz

yfjbupes.com

mindfulinthemadness.com

deloslifesciences.com

adokristal.com

vandergardetuinmeubelshop.com

janewagtus.com

cloudmorning.com

foresteryt01.com

accident-law-yer.info

divorcerefinance.guru

wenxiban.com

589man.com

rockerdwe.com

duftkerzen.info

igametalent.com

yoursafetraffictoupdates.review

jialingjiangpubu.com

maximscrapbooking.com

20sf.info

shadowlandswitchery.com

pmbnc.info

shoppingdrift.online

potashdragon.com

ubkswmpes.com

064ewj.info

rewsales.com

dealsforyou.tech

ziruixu.com

naehascloud.com

smokvape.faith

sunflowermoonstudio.com

stepgentertainment.com

tawbj.info

besthappybuds.net

koohshoping.com

ajikrentcarsurabaya.com

jkjohnsroofingfl.com

whatsnexttnd.com

yoyodvd.com

joomlas123.info

Targets

- Target
  
  New Order list.exe
- Size
  
  368KB
- MD5
  
  cfc84703691c6640926457cb908b1b48
- SHA1
  
  8ee0d777616fa968e23bb7ba70962729b2e2295b
- SHA256
  
  e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c
- SHA512
  
  51ba82d682cc9923d1d727dbd4dd424f3f2e4ee032948031748ee3bf30afb1228782b790a8611ba60e1c66ae75f7ef167c75af3151b258e8996eadfa7e944717
Score

10^/10

formbook 3nop rat spyware stealer trojan persistence suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbook3nopratspywarestealertrojan

behavioral2

formbook3noppersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy