formbook

General

Target

a0ea3e0e735b86e2d21e08fb984f7c4e4a1cfc18e5e88de9333dcf26c05f8114
Size

241KB
Sample

220724-2mfflsbeam
MD5

94ba088ab7928fa21e55de87a44dcd40
SHA1

793e343853260fee403bb7d5b0b39b4b3023fb6e
SHA256

a0ea3e0e735b86e2d21e08fb984f7c4e4a1cfc18e5e88de9333dcf26c05f8114
SHA512

03ea85d83e691aad0da4baa5ce5ee58fb663153667b85b5670afa12df70db9ffd2a675124a6e4e7a6a3b2b20514d9210cbe9a154e2fbfab25d781dc15cf499d0

Score

10^/10

formbook ph persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ph

Decoy

teacuppugpuppies4sale.com

yongjiaboli.com

lenislastlament.com

eco-sustainableheritage.com

vladimir.international

solutionsdelivsource.com

masara.info

farmsforgood.com

cdma1xcard.com

jinzhuoweiyu.com

motiv8.life

betterbuyme.com

amentilife.com

myfinalgreetings.com

businessstepbystep.com

lordsofclubs.com

667vuk.info

ctl.expert

wwwyinhe908.com

fucai5785.com

Targets

- Target
  
  a0ea3e0e735b86e2d21e08fb984f7c4e4a1cfc18e5e88de9333dcf26c05f8114
- Size
  
  241KB
- MD5
  
  94ba088ab7928fa21e55de87a44dcd40
- SHA1
  
  793e343853260fee403bb7d5b0b39b4b3023fb6e
- SHA256
  
  a0ea3e0e735b86e2d21e08fb984f7c4e4a1cfc18e5e88de9333dcf26c05f8114
- SHA512
  
  03ea85d83e691aad0da4baa5ce5ee58fb663153667b85b5670afa12df70db9ffd2a675124a6e4e7a6a3b2b20514d9210cbe9a154e2fbfab25d781dc15cf499d0
Score

10^/10

formbook ph persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook payload

Adds policy Run key to start application

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2