formbook

General

Target

Qfrmegh.exe
Size

168KB
Sample

220706-q9x4dsfef3
MD5

dfb8e69404268f25876c462adc10479a
SHA1

a5c7ab73c4bf71c64c0bb1f3345516ca14d5d13e
SHA256

bf3f26dfdfa937db7f856c20013d77ff05c76cb6f359b703d3f25e840686a9a4
SHA512

2f9381e0d336e97c767aff166928c5ee6d6a26940c7131ed5753aa0702d377d0d8abfceaa80271498120cefd609c10026ec2bd5bf87dc1fdab2e9bbaacf9e527

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ba17

Decoy

bearwant.com

sdsguanfang.com

steamcommunityvia.top

sugarplumtreasures.com

koronislakefishing.com

jmae.xyz

xhxnqemkiqe.xyz

playzcrew.com

zatwsbq.com

lankofix.com

sh-zhepeng.com

mibodamisxv.online

butterflyjewelry.store

finestrecitalto-spottoday.info

globomateria.com

royalmdarts.com

d4af10836709.com

shepwill.com

67aldrich.info

trustedmakers.club

Targets

- Target
  
  Qfrmegh.exe
- Size
  
  168KB
- MD5
  
  dfb8e69404268f25876c462adc10479a
- SHA1
  
  a5c7ab73c4bf71c64c0bb1f3345516ca14d5d13e
- SHA256
  
  bf3f26dfdfa937db7f856c20013d77ff05c76cb6f359b703d3f25e840686a9a4
- SHA512
  
  2f9381e0d336e97c767aff166928c5ee6d6a26940c7131ed5753aa0702d377d0d8abfceaa80271498120cefd609c10026ec2bd5bf87dc1fdab2e9bbaacf9e527
Score

10^/10

formbook ba17 rat spyware stealer trojan suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2