62ea106bcccb1514b2dc55f5ef7e4fd0b9d1b6943f104e719efc53abe4ea6634

Target

Size

511KB

Sample

220521-xjvnxabhc2

Score

10 ^/10

MD5

14b803db733bac403f630661535f2d5d

SHA1

2e0b3d4faea71fb933dfe355d789350bc27cb414

SHA256

62ea106bcccb1514b2dc55f5ef7e4fd0b9d1b6943f104e719efc53abe4ea6634

SHA512

49a2f8c4cc6c499d01e8b84084a9b7da1fa43fca780284e20a926c8c1729db200e8c23042e25f151029637951bbdb47e3cdc141f5c5ea8fc94f8a001bb070f48

Extracted

Family	formbook
Version	4.1
Campaign	kvsz
Decoy	okashyns.com sbsgamedaejeon-two.com drb77.com top5dating.com websprings.online voizers.com zenith.site lahistoriade.com qv85.com armandonieto.com priestvedic.com jessandjeff.net magic-desktop.com jitaji.com ldmeili.com yuwanqingmy.com buzhouorg.com chaiseloungereviews.com m2g8way.com freespin-support.com bocapvang.net 315px.com eugeniobarros.tech sif.email xn--oorv2aj6bj7cds0d6p4b.com polychips.com grouptulip.win landbank.site bet365c.win inbonz.com outofthepark.today jeaniney.com weeip.com dmoneylife.com rticlubs.com reisedating.com marijuanadogbone.com funippon.com banknotesync.com alexandre-boissard.com valorartetattoo.com savetheverse.com specificpcshop.online h0jt1y.accountant jiqing3.com alfaranakle.com saft-store.com wanderingcollective.com santandermobi.online 557023.top loulancaster.com vedattelekom.com jatinangorcity.com goldencanaries.com edgaralanbro.com levelretail.com taylorsandbek.com upbeatnewyork.com motoreselectricoschihuahua.com hotair.wales getawomantodoit.com xiaoxiong365.com cloudboxsupport.com vecteur-u-shop.com fex-tracks.com okashyns.com sbsgamedaejeon-two.com drb77.com top5dating.com websprings.online voizers.com zenith.site lahistoriade.com qv85.com armandonieto.com priestvedic.com jessandjeff.net magic-desktop.com jitaji.com ldmeili.com yuwanqingmy.com buzhouorg.com chaiseloungereviews.com m2g8way.com freespin-support.com bocapvang.net 315px.com eugeniobarros.tech sif.email xn--oorv2aj6bj7cds0d6p4b.com polychips.com grouptulip.win landbank.site bet365c.win inbonz.com outofthepark.today jeaniney.com weeip.com dmoneylife.com rticlubs.com reisedating.com marijuanadogbone.com funippon.com banknotesync.com alexandre-boissard.com valorartetattoo.com savetheverse.com specificpcshop.online h0jt1y.accountant jiqing3.com alfaranakle.com saft-store.com wanderingcollective.com santandermobi.online 557023.top loulancaster.com vedattelekom.com jatinangorcity.com goldencanaries.com edgaralanbro.com levelretail.com taylorsandbek.com upbeatnewyork.com motoreselectricoschihuahua.com hotair.wales getawomantodoit.com xiaoxiong365.com cloudboxsupport.com vecteur-u-shop.com fex-tracks.com

Target

?????? ?? ???????.exe

MD5

203f52c19d874bb4206677f8075c7677

Filesize

662KB

Score

10^/10

SHA1

9f0b37d6aa3854442d0336a0a853593f9177ad85

SHA256

cdcf2838549fff5889e730c6acf553d1de2940575da7e75b8aeefb043dc13ac0

SHA512

d44325b203d93fd86bb75eb75e8ebcd7618d4f3997d6179d8103101a054eb5f9f40a5de53dcacb2f12d8c4adfaa7a115fbece2d4431b772cf3d22a9984343c25

Signatures

Formbook
Description

Formbook is a data stealing malware which is capable of stealing data.
Tags

trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Description

suricata: ET MALWARE FormBook CnC Checkin (GET)
Tags

suricata
Formbook Payload
Tags

rat
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

behavioral1

formbook kvsz persistence rat spyware stealer suricata trojan

10^/10

behavioral2

formbook kvsz rat spyware stealer trojan

10^/10

Extracted

Tags

Signatures

Formbook

Description

Tags

suricata: ET MALWARE FormBook CnC Checkin (GET)

Description

Tags

Formbook Payload

Tags

Checks computer location settings

Description

TTPs

Reads user/profile data of web browsers

Description

Tags

TTPs

Adds Run key to start application

Tags

TTPs

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2