formbook

General

Target

441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2
Size

620KB
Sample

220707-zkt5wabdar
MD5

d5242869385cc6f80a3573f30969d32e
SHA1

804b91d679866e9c9a8f84abdc203aa5ac6069ef
SHA256

441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2
SHA512

4aa4622bf2d4e23a46ffaa47e7e984afacba5a3bcbcfc872c85b9a5d38e962b2bd59870fedf81375ceb1eb87f493e0079ad0925beccaf50d63e7c30ccfda0a74

Score

10^/10

formbook lokibot ra collection rat spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://strutitinca.ro/ftp/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Version

3.8

Campaign

ra

Decoy

bee-control.com

profilepaytren.com

hirntod.info

foxrivrefiber.com

redesignmind.com

prowikileaks.com

jeni86.win

franzzegarra.com

veruredrfygj.win

youzhongla.com

mynastudios.com

stop-r.net

pet-dress.com

beautiies.com

aminooctane.com

studiostraccio.com

jiazhengkj.com

itufq.info

ssco2203.com

bollywoodmoviedance.com

Targets

- Target
  
  441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2
- Size
  
  620KB
- MD5
  
  d5242869385cc6f80a3573f30969d32e
- SHA1
  
  804b91d679866e9c9a8f84abdc203aa5ac6069ef
- SHA256
  
  441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2
- SHA512
  
  4aa4622bf2d4e23a46ffaa47e7e984afacba5a3bcbcfc872c85b9a5d38e962b2bd59870fedf81375ceb1eb87f493e0079ad0925beccaf50d63e7c30ccfda0a74
Score

10^/10

formbook lokibot ra collection rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Formbook payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Formbook payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2