formbook

General

Target

17860814e8bd76c17950f886ad9de46cea5d891c4144f7e47f1a64d990e152c1
Size

245KB
Sample

220521-pyra2agbh7
MD5

fb111186a13baae8436018acb8f85c7f
SHA1

7bcbd64e6a0020967d3881baec989eaecb19606f
SHA256

17860814e8bd76c17950f886ad9de46cea5d891c4144f7e47f1a64d990e152c1
SHA512

57a24e0fb1f18c55c26cc3ebc826d450be5256fd27749a4f7487d3376787d7687397979147a91ba88dcf82ab74c64d65b3619ea14066c698deadb789b7e92b41

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

s5l

Decoy

greenstock.info

laurajaneaesthetics.com

817comm.com

dbprimery.com

slzu-vxtx9.biz

covetpro.com

50.ink

weick.email

88717888.com

tongyue0423.com

anchorsky.com

horapatarot.com

cadillacforless.com

primesupplyvintage.com

torchinstant.win

thebrandishere.com

www-69677.com

savestj.com

tommydad.com

xigjailbreak.com

Targets

- Target
  
  doc094.exe
- Size
  
  345KB
- MD5
  
  aa4728fc8d920e596570904225ffaeca
- SHA1
  
  242c0f565ef343f4390b3090fcd1480ae07d50c1
- SHA256
  
  aa3a6c0efb81498bfda5ebc1319154af99114b3184a9dffd5924e778b25b1ab9
- SHA512
  
  b145c454ab49f26194ec3d4a6ab0cb4ec4208aee1ea624d5d48473d858e41a008c2cfd0778e9aaac79f83d4ec9c62d5e0a10c7c8b879a126237c041d2d47ef41
Score

10^/10

formbook s5l persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Adds policy Run key to start application

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2