formbook

General

Target

HA-22-2819922-077.exe
Size

551KB
Sample

221208-qsb5laab56
MD5

f3fa21b3a4822c327047bf6937862210
SHA1

39d943eb69e2823d90544c259faff8097e0337ce
SHA256

bd4e6d059703f5a320f62a2db4c3b89e6c1878f0be17c06c494f0c1328fd1c50
SHA512

e66cf4dc486aa340f593d3354caa5636550fd7cfb0ba16e4a41db4411b3546b787b43e673a8356a75859805e2a73a0e7f6b4256eaa61f6049aef5db3075293d5
SSDEEP

12288:JuN7XJPGa/5LplH5PN3r86eXEONa9iJ8jr4H:Juj+4zZO6Qnyn

Score

10^/10

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

urde

Decoy

belleriacortland.com

gxzyykx.com

blocksholding.net

zhangjiyuan.com

tyfinck.com

xn--v9s.club

xn--72c9at8ec1l.com

dorismart.online

nocodeuni.com

hmmprocesos.website

quartile.agency

iansdogname.com

karengillen.com

the-bitindexprime.info

nthanisolutions.com

nakamu.online

sahityanepal.com

sinwinindustry.com

shotblastwearingparts.com

nstsuccess.com

Targets

- Target
  
  HA-22-2819922-077.exe
- Size
  
  551KB
- MD5
  
  f3fa21b3a4822c327047bf6937862210
- SHA1
  
  39d943eb69e2823d90544c259faff8097e0337ce
- SHA256
  
  bd4e6d059703f5a320f62a2db4c3b89e6c1878f0be17c06c494f0c1328fd1c50
- SHA512
  
  e66cf4dc486aa340f593d3354caa5636550fd7cfb0ba16e4a41db4411b3546b787b43e673a8356a75859805e2a73a0e7f6b4256eaa61f6049aef5db3075293d5
- SSDEEP
  
  12288:JuN7XJPGa/5LplH5PN3r86eXEONa9iJ8jr4H:Juj+4zZO6Qnyn
Score

10^/10

formbook urde persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Sets service image path in registry
  persistence
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook payload

Sets service image path in registry

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2