formbook

General

Target

66cba319c20a6e956a09334f4a23abc9c3d22c95f49731a04c26e2f8b8598412
Size

227KB
Sample

220521-pwtndagag9
MD5

5b0e92531d0ea6f32e8f64787fcc9bda
SHA1

290f7cacc474b9a5b55f2958d87124d3605ca866
SHA256

66cba319c20a6e956a09334f4a23abc9c3d22c95f49731a04c26e2f8b8598412
SHA512

b3ecf63a9532e94b08c930b91cb051658b4616b3a66fa2a333e4e9441c73cf32e87b11b361d98de179dc8d54b3ef155acdc26ec0717af3caccac43d8c1ff2a09

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

s5l

Decoy

greenstock.info

laurajaneaesthetics.com

817comm.com

dbprimery.com

slzu-vxtx9.biz

covetpro.com

50.ink

weick.email

88717888.com

tongyue0423.com

anchorsky.com

horapatarot.com

cadillacforless.com

primesupplyvintage.com

torchinstant.win

thebrandishere.com

www-69677.com

savestj.com

tommydad.com

xigjailbreak.com

Targets

- Target
  
  430917.exe
- Size
  
  330KB
- MD5
  
  e194989989a1a67a7734611823a1524f
- SHA1
  
  bcffc771e7e2f343a007e9a60da71a1e342d691e
- SHA256
  
  06ae29042dd19e5cc3e287eafcb47a934aba12b9c3d4224d31f64a700b1b77ca
- SHA512
  
  76641f8ed4a09ee40f233f8ba537a8841e6b8cd5f0d7b16a8efcc9154dcc868a05fe72a4f219c948f70fc153ead56da52fb13492c5cad1cba59798171a5637d8
Score

10^/10

formbook s5l persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds policy Run key to start application

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2