formbook | 4ac2c172c26b2d7542326c6787f18d76c94b0fe040dbf9c7ea3c3d5595fcfadd | Triage

Submit
Reports

Overview

overview

Static

static

4ac2c172c2...dd.exe

windows7-x64

4ac2c172c2...dd.exe

windows10-2004-x64

Sharing

General

Target

4ac2c172c26b2d7542326c6787f18d76c94b0fe040dbf9c7ea3c3d5595fcfadd
Size

476KB
Sample

221125-kar57sde55
MD5

c67f5e0a1b70379e571ad98dfabf90fa
SHA1

cf5c2c9c424bfa81fe5f7ecf3fa1882078743bb8
SHA256

4ac2c172c26b2d7542326c6787f18d76c94b0fe040dbf9c7ea3c3d5595fcfadd
SHA512

125e0b7d24efc7491c0aca2f21d7c88146cfd4f76536ca8e6a5e8316fee5f4e5234adf23e0ca5d94e49999875dc381dff481a8e39424fd8049bc62379dc9d783
SSDEEP

12288:321dDwwJjHJ7qMUELjQl8BAxdPOsEguyUI:cdDwwJRjUELjQlrkG

Score

10^/10

formbook ch persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

4ac2c172c26b2d7542326c6787f18d76c94b0fe040dbf9c7ea3c3d5595fcfadd.exe

Resource

win7-20220812-en

formbook ch persistence rat spyware stealer trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

4ac2c172c26b2d7542326c6787f18d76c94b0fe040dbf9c7ea3c3d5595fcfadd.exe

Resource

win10v2004-20220812-en

formbook ch persistence rat spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch

Decoy

pardes.club

gpovisual.net

radio-garden.net

opebet977.com

buscaaps.com

teeveebox.net

recetasdepollo.online

fona.ltd

wensouder.net

swichitup.com

korian-foundation.info

shantinglvka.com

filmtipps.online

www1024sj.com

secretsofatrade.com

banquedabidjan.com

lifewayfoodscom.com

heidimcquinntp.com

tiendaportv.com

jenzamzow.com

yudahuabingfen.com

kube.ltd

camasdekarma.com

maliant.com

visitagransendademalaga.com

syndicatedadvisorresources.com

airplanes4hurricanes.com

xgtm00.com

3reki.com

healthychimney.net

targetstlouis.com

vulimb.info

spicylikes.com

yhsiliconeproducts.com

ccshanghai.net

magicayi.com

fleuristesmith.com

arewethereyethoney.com

yjtyjtyjjytjk.online

enhstore.com

cbnedt.men

kidscreationmuseum.com

nashobasoft.com

newsomeassociates.net

42wallabyway.sydney

lterfh.com

petitmusic.com

yourlifemenu.com

globalapp.email

eshopok.com

connorbenham.com

038979.com

showfangwang.com

mmfairs.info

110pwn8-avqur8b.com

baebolddoki.com

cloudbreakthroughs.ltd

mhamail.com

freecharitydesign.com

bosstech2017.com

tv5s.com

mir09.info

ajvbln.men

thethingsoflife.com

lyricmes.com

Targets

- Target
  
  4ac2c172c26b2d7542326c6787f18d76c94b0fe040dbf9c7ea3c3d5595fcfadd
- Size
  
  476KB
- MD5
  
  c67f5e0a1b70379e571ad98dfabf90fa
- SHA1
  
  cf5c2c9c424bfa81fe5f7ecf3fa1882078743bb8
- SHA256
  
  4ac2c172c26b2d7542326c6787f18d76c94b0fe040dbf9c7ea3c3d5595fcfadd
- SHA512
  
  125e0b7d24efc7491c0aca2f21d7c88146cfd4f76536ca8e6a5e8316fee5f4e5234adf23e0ca5d94e49999875dc381dff481a8e39424fd8049bc62379dc9d783
- SSDEEP
  
  12288:321dDwwJjHJ7qMUELjQl8BAxdPOsEguyUI:cdDwwJRjUELjQlrkG
Score

10^/10

formbook ch persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookchpersistenceratspywarestealertrojan

behavioral2

formbookchpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy