formbook

General

Target

a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91
Size

584KB
Sample

220724-2fd9zabbbq
MD5

8b140506ec06ac39293346fe55fe9151
SHA1

4cb7f1b6b1aee0398a9fe7d6fa0ddfe21571655e
SHA256

a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91
SHA512

cac3f2579192fb9c2f79af7930875f6d1acc0e354cf4eb57dd96d135ff768cfdba2b5755afc6e6f63630f4664534a3b3b42e7efab4cd878651f8f613b9729105

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

c134

Decoy

rulo.ltd

stainremoval.solutions

thefashionvisitor.com

themasseywedding.com

wisconsinismyhome.com

golfclubs.today

paycoml.com

analytica.digital

best-film.link

gethard.online

elmgraphics.com

wyqgy.com

yhdc25.com

castingguide.site

at9981.com

everythinginvestmfaim.com

myfcbtexas.net

lakeshore.tax

ogrencisleri.net

hiyahuegnuyen.win

Targets

- Target
  
  a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91
- Size
  
  584KB
- MD5
  
  8b140506ec06ac39293346fe55fe9151
- SHA1
  
  4cb7f1b6b1aee0398a9fe7d6fa0ddfe21571655e
- SHA256
  
  a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91
- SHA512
  
  cac3f2579192fb9c2f79af7930875f6d1acc0e354cf4eb57dd96d135ff768cfdba2b5755afc6e6f63630f4664534a3b3b42e7efab4cd878651f8f613b9729105
Score

10^/10

formbook c134 persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2