formbook

General

Target

57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
Size

305KB
Sample

220724-yq59naegbn
MD5

843485dbff12620fb58532fab189a3fe
SHA1

fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA256

57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512

a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

hx227

Decoy

lapizapps.com

heitoping.com

pthelperspositivev.win

gmxpic.com

valuecodeliving.com

kredit-hilfe-gesucht.com

totalwebservices.online

impressionscarpetcleaning.net

cqpsds.info

1q2fiveafter.men

campbellpropertiesuk.com

avalon.loans

bankcardssite.market

connqa.com

luludallas.com

acessoitaucard.net

ad-concier.com

blrsi.com

zecrypto.com

com-services-secure-id.info

Targets

- Target
  
  57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
- Size
  
  305KB
- MD5
  
  843485dbff12620fb58532fab189a3fe
- SHA1
  
  fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
- SHA256
  
  57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
- SHA512
  
  a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00
Score

10^/10

formbook hx227 persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook payload

Adds policy Run key to start application

Executes dropped EXE

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2