formbook | bc5af6d6aa8b703a81fe8ba15788bf4de8bc9f5c69d300eb15559df8960b3232 | Triage

Submit
Reports

Overview

overview

Static

static

Attached i...er.exe

windows7_x64

Attached i...er.exe

windows10-2004_x64

Sharing

General

Target

bc5af6d6aa8b703a81fe8ba15788bf4de8bc9f5c69d300eb15559df8960b3232
Size

502KB
Sample

220521-xev4waehdk
MD5

7101fce5a4db622570268cdb05a1fc42
SHA1

c6b7526738e5ac5068f8e070e8336cb4c1960ceb
SHA256

bc5af6d6aa8b703a81fe8ba15788bf4de8bc9f5c69d300eb15559df8960b3232
SHA512

9b7fa9b2aaf112d702cc65ab08c13f7b6815a4429d32b84c72efd8f773e96c55ab4d7372e80d343a7f2b5480baddb09cabd811135b2436cb2e44521e8793779a

Score

10^/10

formbook 3nop persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Attached is list of our purchase order.exe

Resource

win7-20220414-en

formbook 3nop persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Attached is list of our purchase order.exe

Resource

win10v2004-20220414-en

formbook 3nop persistence rat spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

capricorn1967.com

meucarrapicho.com

41230793.net

yoghurtberry.com

wv0uoagz0yr.biz

yfjbupes.com

mindfulinthemadness.com

deloslifesciences.com

adokristal.com

vandergardetuinmeubelshop.com

janewagtus.com

cloudmorning.com

foresteryt01.com

accident-law-yer.info

divorcerefinance.guru

wenxiban.com

589man.com

rockerdwe.com

duftkerzen.info

igametalent.com

yoursafetraffictoupdates.review

jialingjiangpubu.com

maximscrapbooking.com

20sf.info

shadowlandswitchery.com

pmbnc.info

shoppingdrift.online

potashdragon.com

ubkswmpes.com

064ewj.info

rewsales.com

dealsforyou.tech

ziruixu.com

naehascloud.com

smokvape.faith

sunflowermoonstudio.com

stepgentertainment.com

tawbj.info

besthappybuds.net

koohshoping.com

ajikrentcarsurabaya.com

jkjohnsroofingfl.com

whatsnexttnd.com

yoyodvd.com

joomlas123.info

Targets

- Target
  
  Attached is list of our purchase order.exe
- Size
  
  1018KB
- MD5
  
  51c0b8ed8fefbc54a2dee932441e60f5
- SHA1
  
  f1725101ee1c02864a3e829d08d9062d9f05a694
- SHA256
  
  ab654da16e2c42b2547b884c79f0829214b34e0d1db7ab0ad23271a66f3298c3
- SHA512
  
  1d596345a1e54f24de8e2b2d086eed00ec822caab7b985abae37df15d300419ef0e0dc81d7154b73c89a2fa74b9fecc4d42f7fb09f56cb0e33e415056baf8804
Score

10^/10

formbook 3nop persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

formbook3noppersistenceratspywarestealersuricatatrojan

behavioral2

formbook3noppersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy