formbook | 5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769 | Triage

Submit
Reports

Overview

overview

Static

static

5814e53e67...69.exe

windows7-x64

5814e53e67...69.exe

windows10-2004-x64

Sharing

General

Target

5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769
Size

212KB
Sample

220724-t1xytaahgp
MD5

0d6ae9500984c013e717fac3aa020e0f
SHA1

d87df965c6ae2e75380d6752dc0030fc7b891a1d
SHA256

5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769
SHA512

e23dcd8c19590785409c789c47fb4a69e51dde2534f739a635b8b5b23f73705a42dbc6ef8dfaa336c1fad01d7355e4755717e5fba52f970fda5542356dd95dcf

Score

10^/10

formbook sh persistence rat spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe

Resource

win7-20220718-en

formbook sh persistence rat spyware stealer suricata trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe

Resource

win10v2004-20220721-en

formbook sh persistence rat spyware stealer suricata trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

sh

Decoy

studiogoparty.com

furi-mold.com

cdicoun-tombola.info

elizabethlhall.com

nakayama-hanasai.com

9910pe.com

iraqbreakingnews.com

91fyy.com

intersafetyland.com

dddadditive.com

gewuan.net

ikwxanxb.click

shenghangdianzi.com

nuskinmemory.com

sonrel-julie.com

rapidlegalcenter.com

jcldsp.com

dibamoviez.net

sochuan66.com

platformoneclothing.com

vandenbergpol.com

farmagf.com

xn--sjq656oa.net

bostonrefinanceboard.com

dannymetal.email

rcnxg.info

miaoshahui.net

sianakuwait.com

soundsquaremusic.com

liputan66.com

office365esafety.group

bolababy.net

saltiestoftheearth.com

goculer.com

mindbodysoulfoodie.com

tamsueva.info

givingartgallery.com

onlinestore.ninja

sanftemassagen.com

lafourmibatisseuse.com

200767.top

christina-kenel.com

burocratastijuana.com

herosofharvey.com

libelle-le.com

zecstb.men

jxkysd.com

yejiajun.com

social123marketing.com

simplelifeorganic.com

tjkaizhen.com

estableg.info

cyrilportmann.com

ntstiffins.com

717385y.info

ellamcd.com

cnxt.social

iotaagriculture.com

frankpilates.net

flytart.com

watch-zone.tech

yigitay.net

bubbleshootgames.com

cosmiceggpack.com

drylipc.com

Targets

- Target
  
  5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769
- Size
  
  212KB
- MD5
  
  0d6ae9500984c013e717fac3aa020e0f
- SHA1
  
  d87df965c6ae2e75380d6752dc0030fc7b891a1d
- SHA256
  
  5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769
- SHA512
  
  e23dcd8c19590785409c789c47fb4a69e51dde2534f739a635b8b5b23f73705a42dbc6ef8dfaa336c1fad01d7355e4755717e5fba52f970fda5542356dd95dcf
Score

10^/10

formbook sh persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook payload
  rat
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookshpersistenceratspywarestealersuricatatrojan

behavioral2

formbookshpersistenceratspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy