formbook | 62ea106bcccb1514b2dc55f5ef7e4fd0b9d1b6943f104e719efc53abe4ea6634 | Triage

Submit
Reports

Overview

overview

Static

static

?????? ?? ???????.exe

windows7_x64

?????? ?? ???????.exe

windows10-2004_x64

Sharing

General

Target

62ea106bcccb1514b2dc55f5ef7e4fd0b9d1b6943f104e719efc53abe4ea6634
Size

511KB
Sample

220521-xjvnxabhc2
MD5

14b803db733bac403f630661535f2d5d
SHA1

2e0b3d4faea71fb933dfe355d789350bc27cb414
SHA256

62ea106bcccb1514b2dc55f5ef7e4fd0b9d1b6943f104e719efc53abe4ea6634
SHA512

49a2f8c4cc6c499d01e8b84084a9b7da1fa43fca780284e20a926c8c1729db200e8c23042e25f151029637951bbdb47e3cdc141f5c5ea8fc94f8a001bb070f48

Score

10^/10

formbook kvsz persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

?????? ?? ???????.exe

Resource

win7-20220414-en

formbook kvsz persistence rat spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

?????? ?? ???????.exe

Resource

win10v2004-20220414-en

formbook kvsz rat spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

bocapvang.net

315px.com

eugeniobarros.tech

sif.email

xn--oorv2aj6bj7cds0d6p4b.com

polychips.com

grouptulip.win

landbank.site

bet365c.win

inbonz.com

outofthepark.today

jeaniney.com

weeip.com

dmoneylife.com

rticlubs.com

reisedating.com

marijuanadogbone.com

funippon.com

banknotesync.com

alexandre-boissard.com

valorartetattoo.com

savetheverse.com

specificpcshop.online

h0jt1y.accountant

jiqing3.com

alfaranakle.com

saft-store.com

wanderingcollective.com

santandermobi.online

557023.top

loulancaster.com

vedattelekom.com

jatinangorcity.com

goldencanaries.com

edgaralanbro.com

levelretail.com

taylorsandbek.com

upbeatnewyork.com

motoreselectricoschihuahua.com

hotair.wales

getawomantodoit.com

xiaoxiong365.com

cloudboxsupport.com

vecteur-u-shop.com

fex-tracks.com

Targets

- Target
  
  ?????? ?? ???????.exe
- Size
  
  662KB
- MD5
  
  203f52c19d874bb4206677f8075c7677
- SHA1
  
  9f0b37d6aa3854442d0336a0a853593f9177ad85
- SHA256
  
  cdcf2838549fff5889e730c6acf553d1de2940575da7e75b8aeefb043dc13ac0
- SHA512
  
  d44325b203d93fd86bb75eb75e8ebcd7618d4f3997d6179d8103101a054eb5f9f40a5de53dcacb2f12d8c4adfaa7a115fbece2d4431b772cf3d22a9984343c25
Score

10^/10

formbook kvsz persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookkvszpersistenceratspywarestealersuricatatrojan

behavioral2

formbookkvszratspywarestealertrojan

© 2018-2024

Terms | Privacy