Summary: 2025/05/04 06:50
First reported date: 2017/09/20
Inquiry period : 2025/04/27 06:50 ~ 2025/05/04 06:50 (7 days), 2 search results
전 기간대비 -250% 낮은 트렌드를 보이고 있습니다.
악성코드 유형 NetWireRC Amadey Remcos AsyncRAT 도 새롭게 확인됩니다.
기타 last aqbtkjtop ambitiouswomennet Advertising Top 등 신규 키워드도 확인됩니다.
FormBook is a well-known commercial malware that steals information from victims’ machines using keyloggers and form grabbers.
참고로 동일한 그룹의 악성코드 타입은 FormBook QakBot RedLine 등 101개 종이 확인됩니다.
Trend graph by period
Related keyword cloud
Top 100Special keyword group
Top 5
Malware Type
This is the type of malware that is becoming an issue.
| Keyword | Average | Label |
|---|---|---|
| FormBook |
|
2 (22.2%) |
| Lumma |
|
1 (11.1%) |
| NetWireRC |
|
1 (11.1%) |
| AgentTesla |
|
1 (11.1%) |
| Amadey |
|
1 (11.1%) |
Attacker & Actors
The status of the attacker or attack group being issued.
No data.
Technique
This is an attack technique that is becoming an issue.
| Keyword | Average | Label |
|---|---|---|
| Stealer |
|
1 (100%) |
Country & Company
This is a country or company that is an issue.
No data.
Malware Family
Top 5
A malware family is a group of applications with similar attack techniques.
In this trend, it is classified into Ransomware, Stealer, RAT or Backdoor, Loader, Botnet, Cryptocurrency Miner.
Threat info
Last 5SNS
(Total : 2)
Total keyword
FormBook Lumma IoC Stealer Advertising NetWireRC AgentTesla Amadey Remcos AsyncRAT XWorm
News
(Total : 0)No data.
Additional information
| No | Title | Date |
|---|---|---|
| 1 | 틱톡, 유럽 사용자 데이터 중국 전송.. 8000억대 벌금 - 시큐리티팩트 | 2025.05.03 |
| 2 | Saskatoon children’s hospital nurse unlawfully snooped on records of 314 patients: privacy report - Malware.News | 2025.05.03 |
| 3 | Dating app Raw exposed users’ location data and personal information - Malware.News | 2025.05.03 |
| 4 | Hacker hired Telangana man to courier threats to Star Health Insurance MD - Malware.News | 2025.05.03 |
| 5 | Acadian Ambulance Seeks Dismissal of Data Breach Lawsuit - Malware.News | 2025.05.03 |
| View only the last 5 | ||
| No | Title | Date |
|---|---|---|
| 1 | Private: Stealing the Future: Infostealers Power Cybercrime in 2025 - Malware.News | 2025.04.23 |
| 2 | Private: Stealing the Future: Infostealers Power Cybercrime in 2025 - Malware.News | 2025.04.23 |
| 3 | Private: Stealing the Future: Infostealers Power Cybercrime in 2025 - Malware.News | 2025.04.23 |
| 4 | Private: Stealing the Future: Infostealers Power Cybercrime in 2025 - Malware.News | 2025.04.23 |
| 5 | How MSSP Expertware Uses ANY.RUN’s Interactive Sandbox for Faster Threat Analysis - Malware.News | 2025.04.08 |
| View only the last 5 | ||
| No | Request | Hash(md5) | Report No | Date |
|---|---|---|---|---|
| 1 |  UQdB.exeFormbook Generic Malware .NET framework(MSIL) Malicious Library UPX Antivirus PWS AntiDebug AntiVM PE File .NET EXE PE32 DLL | 143aa2a76396aab15a8bf762dfa7f377 | 59879 | 2025.04.23 |
| 2 |  csrss.exeFormbook Process Kill Generic Malware Suspicious_Script_Bin Malicious Library FindFirstVolume CryptGenKey UPX PE File PE32 Device_File_Check OS Processor Ch | 67e4a0dc097ec49476cd4e56805e5e56 | 58946 | 2025.04.11 |
| 3 |  cosses.exeFormbook Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey | c338c9cdccb21a6f023987865b4a6269 | 58240 | 2025.03.21 |
| 4 |  vfc.exeFormbook Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey | 907d825de589180257b3cdd1515c7002 | 58242 | 2025.03.21 |
| 5 |  vsse.exeFormbook Process Kill Generic Malware Malicious Library FindFirstVolume CryptGenKey UPX PE File Device_File_Check PE32 OS Process | cd00eab486d24844b6ae7933c4514271 | 58243 | 2025.03.21 |
| View only the last 5 | ||||
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe |
| watch | One or more non-whitelisted processes were created |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The processes powershell.exe |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| watch | Wscript.exe initiated network communications indicative of a script based payload download |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
| Network | ET DNS Query to a *.top domain - Likely Hostile |
| Network | ET INFO HTTP Request to a *.top domain |
| No | Category | URL | CC | ASN Co | Date |
|---|---|---|---|---|---|
| 1 | c2 | http://www.436bet.lol/lcva/ | US  | CLOUDFLARENET | 2025.04.23 |
| 2 | c2 | http://www.igbee.online/tyrp/ | VG  | CONFLUENCE-NETWORK-INC | 2025.04.23 |
| 3 | c2 | http://www.meshki-co-uk.shop/b8n0/ | US | CLOUDFLARENET | 2025.04.11 |
| 4 | c2 | http://www.nesuns.asia/ | 2025.03.26 | ||
| 5 | c2 | http://www.aifriendship.store/ | 2025.03.26 | ||
| View only the last 5 | |||||
| No | URL | CC | ASN Co | Reporter | Date |
|---|---|---|---|---|---|
| 1 | https://github.com/legendary99999/gdfgadfgbdfv/releases/download/rgdvadfgvafdvx/Output.exe Formbook | US | MICROSOFT-CORP-MSN-AS-BLOCK | anonymous | 2025.05.03 |
| 2 | http://185.215.113.19//inc/freedom.exe Formbook | anonymous | 2025.04.26 | ||
| 3 | http://185.215.113.19//inc/explorer.exe Formbook | anonymous | 2025.04.26 | ||
| 4 | http://185.215.113.117//inc/freedom.exe Formbook | abus3reports | 2025.04.26 | ||
| 5 | http://185.215.113.117//inc/explorer.exe Formbook | abus3reports | 2025.04.26 | ||
| View only the last 5 | |||||
Beta Service, If you select keyword, you can check detailed information.