formbook | acc4d8e95dd29d9938aa45721d589407dd9e2712e6035d620068709c1bbe600e | Triage

Submit
Reports

Overview

overview

Static

static

products samples.exe

windows7_x64

products samples.exe

windows10-2004_x64

Sharing

General

Target

acc4d8e95dd29d9938aa45721d589407dd9e2712e6035d620068709c1bbe600e
Size

241KB
Sample

220521-xew16sbeg6
MD5

45b61bca34efec06eba0469fe2003b55
SHA1

a2c05569f3205d6d682ea409293469867489f729
SHA256

acc4d8e95dd29d9938aa45721d589407dd9e2712e6035d620068709c1bbe600e
SHA512

eda1cafbb7c3497e009feabe99d157b8a392b401ee9a96589e9ea3d375ec5796f81b1a8e092a77750f92f601b15bc84d7df2495b7390f40c3b896a46cd1d1224

Score

10^/10

formbook n7ak persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

products samples.exe

Resource

win7-20220414-en

formbook n7ak persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

products samples.exe

Resource

win10v2004-20220414-en

formbook n7ak persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

bazarmoney.net

librosdecienciaficcion.com

shopmomsthebomb.com

vanjacob.com

tgyaa.com

theporncollective.net

hydrabadproperties.com

brindesecologicos.com

sayagayrimenkul.net

4btoken.com

shycedu.com

overall789.top

maison-pierre-bayle.com

elitemediamasters.com

sharmasfabrics.com

hoshamp.com

myultimateleadgenerator.com

office4u.info

thaimart1.com

ultimatewindowusa.com

twoblazesartworks.com

airteloffer.com

shoupaizhao.com

741dakotadr.info

books4arab.net

artedelcioccolato.biz

tjqcu.info

teccoop.net

maturebridesdressguide.com

excelcapfunding.com

bitcoinak.com

profileorderflow.com

unbelievabowboutique.com

midlandshomesolutionsltd.com

healthywithhook.com

stirlingpiper.com

manfast.online

arikorin.com

texastrustedinsurance.com

moodandmystery.com

yh77808.com

s-immotanger.com

runzexd.com

meteoannecy.net

joomlas123.info

Targets

- Target
  
  products samples.exe
- Size
  
  494KB
- MD5
  
  e64f048c8c196195443a74e911748666
- SHA1
  
  42d24e14f852afba26c793bf4063ad80f581452a
- SHA256
  
  cbb6d89187847aab1fcff6b5d832ea80bca30bfe5520702133cab83335392ead
- SHA512
  
  0101a9d60cfbf7dbabf5e7c3d119c12bd5774926387fb51606e5715ee80554c8311b5bc2060e4a329199a696799a593b8a7b4af9315c06a009228e3832e56f75
Score

10^/10

formbook n7ak persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

formbookn7akpersistenceratspywarestealersuricatatrojan

behavioral2

formbookn7akpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy