7a89819406800bfa110d3caa0750c54a3fdfd6e2f48b1e236671ce18983517d6

Target

Size

513KB

Sample

220521-xjrx1sbhb8

Score

10 ^/10

MD5

921b3241b24e44fd80dc0f5d476adc08

SHA1

491727164424d38afa6d057d6733bf4878ce816a

SHA256

7a89819406800bfa110d3caa0750c54a3fdfd6e2f48b1e236671ce18983517d6

SHA512

512a6b6a9f7be9ca9dc052690d19685ff382b68ff8900bc8f7c9a1601b7aab958381ff65824317cd0199112fc1441b50f3fbd37f60a2087f1c780133baf2a890

Extracted

Family	formbook
Version	4.1
Campaign	bnc
Decoy	saltoasischarleston.com gor.digital oneserviceplace.com ivcfte.info grasshopperveteran.com tblacklist.com noahandvincent.com bbbmorris.com coralvillerealestate.info rjprime.info smilehdapp.com texas.kitchen lifeofbeautifulchaos.com myfittedfurniture.com mobiledealsnetwork.com ateliermusicapiano.com 568027.com johnmeanwell.com uneggsing.com chengshuai88.com bb9c0clr1.online ru5hmotorsport.com massiveplain.com onyxzoe.com 1k4onehot.men quantumfingerprint.com davidkellysounds.com e-healinghub.com youaremydestinyth.com 835man.com iixiah.com clusterdatacenter.net comoeducarumfilho.com heloatfotografia.com glaucon.net driverlesspickups.com conquisteshop.com estatesdevelopers.com 2ndbeats.com rustycedarfarm.net burnsindustrial.net tictactocchomedey.com sinanzhiyou.com blueflamecollection.net seitai-yuuki.com dclawnsva.com vilamouraimmobilier.com creativa-image.com funnelsunderground.com bilaraby.net leadingwithscience.com donoteatanimals.net dakafe.store easytwopark.com capipenta.com wearstrains.com dyduyu.com fortunetechnicalservicesinc.com reqoverflow.com discephekaplama.site fattoriabucanuova.com taobaobeibei.com wigglewagglers.com huangyanlin.com teanmer.com saltoasischarleston.com gor.digital oneserviceplace.com ivcfte.info grasshopperveteran.com tblacklist.com noahandvincent.com bbbmorris.com coralvillerealestate.info rjprime.info smilehdapp.com texas.kitchen lifeofbeautifulchaos.com myfittedfurniture.com mobiledealsnetwork.com ateliermusicapiano.com 568027.com johnmeanwell.com uneggsing.com chengshuai88.com bb9c0clr1.online ru5hmotorsport.com massiveplain.com onyxzoe.com 1k4onehot.men quantumfingerprint.com davidkellysounds.com e-healinghub.com youaremydestinyth.com 835man.com iixiah.com clusterdatacenter.net comoeducarumfilho.com heloatfotografia.com glaucon.net driverlesspickups.com conquisteshop.com estatesdevelopers.com 2ndbeats.com rustycedarfarm.net burnsindustrial.net tictactocchomedey.com sinanzhiyou.com blueflamecollection.net seitai-yuuki.com dclawnsva.com vilamouraimmobilier.com creativa-image.com funnelsunderground.com bilaraby.net leadingwithscience.com donoteatanimals.net dakafe.store easytwopark.com capipenta.com wearstrains.com dyduyu.com fortunetechnicalservicesinc.com reqoverflow.com discephekaplama.site fattoriabucanuova.com taobaobeibei.com wigglewagglers.com huangyanlin.com teanmer.com

Target

UPDTED PAYMENT DETAILS 948998849-909N.exe

MD5

6d8a6794412d626d13bccfbcebda900f

Filesize

661KB

Score

10^/10

SHA1

466ae37bb340ce9ffca60cf8758cde8af08bd077

SHA256

dd2e99f4c8b2909221d9cddcae2aa9c5ce4e343cd4ed8e5fa7113e639412ef7f

SHA512

de7d7f7290dd4f65ae5954d29b41e6f1bbf78e17142d1287645d8a9cd3ddb3b520a8c782b1846a1f010636512431c289f4917a99dc1bc80b2059130aacd1c25a

Signatures

Formbook
Description

Formbook is a data stealing malware which is capable of stealing data.
Tags

trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Description

suricata: ET MALWARE FormBook CnC Checkin (GET)
Tags

suricata
Formbook Payload
Tags

rat
Adds policy Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

static1

behavioral1

formbook bnc persistence rat spyware stealer suricata trojan

10^/10

behavioral2

formbook bnc persistence rat spyware stealer suricata trojan

10^/10

Extracted

Tags

Signatures

Formbook

Description

Tags

suricata: ET MALWARE FormBook CnC Checkin (GET)

Description

Tags

Formbook Payload

Tags

Adds policy Run key to start application

Tags

TTPs

Reads user/profile data of web browsers

Description

Tags

TTPs

Adds Run key to start application

Tags

TTPs

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2