formbook | f073049a0bb7d1e370d603841469d9b6070da559d9721a018a6ace155d2d7b3a | Triage

Submit
Reports

Overview

overview

Static

static

U prilogu ...be.exe

windows7_x64

U prilogu ...be.exe

windows10-2004_x64

Sharing

General

Target

U prilogu potvrda narudzbe.exe
Size

500KB
Sample

220523-vj4kpsbbfm
MD5

148986549117576bfd15d868abc6455e
SHA1

671a0ca7cb8e5d39c3b2748d24bec6a32f6055f2
SHA256

f073049a0bb7d1e370d603841469d9b6070da559d9721a018a6ace155d2d7b3a
SHA512

24dca913d120b7a36b394f2ca51d0d8b31da59e5d7757e5bd4c74b228ecbc957906ce1f9f99883b87f37f51ee04d9c4e92f8e017b68eb9b40643fe97321b2d27

Score

10^/10

formbook 3nop persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

U prilogu potvrda narudzbe.exe

Resource

win7-20220414-en

formbook 3nop persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

U prilogu potvrda narudzbe.exe

Resource

win10v2004-20220414-en

formbook 3nop persistence rat spyware stealer suricata trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

videohm.com

panache-rose.com

alnooncars-kw.com

trueblue2u.com

brussels-cafe.com

ip2c.net

influenzerr.com

rbcoq.com

zzful.com

drainthe.com

sumaholesson.com

cursosaprovados.com

genotecinc.com

dbrulhart.com

theapiarystudios.com

kensyu-kan.com

dkku88.com

tikhyper.com

aztecnort.com

homebrim.com

infinitilamp.com

leelegantflower.com

floor-space.investments

vidasustentavel.online

wholehearteddaughters.com

vipandeep.com

mdwovzrrm.icu

592215.com

academicplumbing.com

bestveganbook.com

theservantleader.com

nazarickdeveloper.xyz

delta-wing.com

girlfriendsgarb.com

sezyz11.com

ca3construction.com

smartswitchhomeloan.net

luckytwo.agency

ministry-of-barbers.com

babbageacademy.com

informationside.com

packapp.net

spacecoasthondaevent.com

thehealthyimmunereset.com

pjcavaliere.info

trebdurham.com

zhixintonghe.com

gon2580.com

dottproject.net

snakby.com

keeponsports.com

debbiewilsondesigns.com

stagingsolutionsgroup.com

forummondialdelamerbizerte.com

garnier.red

tempestchs.com

zpxinxi.com

jam-nins.com

inclusiocg.com

msmenders.com

whachupichu.com

pursemore.com

thebusinessfitclub.com

scootgotti.com

jakesplacebarbers.com

Targets

- Target
  
  U prilogu potvrda narudzbe.exe
- Size
  
  500KB
- MD5
  
  148986549117576bfd15d868abc6455e
- SHA1
  
  671a0ca7cb8e5d39c3b2748d24bec6a32f6055f2
- SHA256
  
  f073049a0bb7d1e370d603841469d9b6070da559d9721a018a6ace155d2d7b3a
- SHA512
  
  24dca913d120b7a36b394f2ca51d0d8b31da59e5d7757e5bd4c74b228ecbc957906ce1f9f99883b87f37f51ee04d9c4e92f8e017b68eb9b40643fe97321b2d27
Score

10^/10

formbook 3nop persistence rat spyware stealer trojan suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Modifies WinLogon for persistence
  persistence
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbook3noppersistenceratspywarestealertrojan

behavioral2

formbook3noppersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy