{ "type": "SHA256", "indicator": "0e2678f5d0173246c464a42aced9a6f5494e9f2619257ba7e468834e8708b726", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "0e2678f5d0173246c464a42aced9a6f5494e9f2619257ba7e468834e8708b726", "validation": [], "base_indicator": { "id": 86903078, "indicator": "0e2678f5d0173246c464a42aced9a6f5494e9f2619257ba7e468834e8708b726", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "59c5592801e2b97e291a3cd5", "name": "The Formidable FormBook Form Grabber", "description": "More and more we\u2019ve been seeing references to a malware family known as FormBook. Per its advertisements it is an infostealer that steals form data from various web browsers and other applications. It is also a keylogger and can take screenshots. The malware code is complicated, busy, and fairly obfuscated\u2013there are no Windows API calls or obvious strings. This post will start to explore some of these obfuscations to get a better understanding of how FormBook works.", "modified": "2017-09-22T18:40:40.292000", "created": "2017-09-22T18:40:40.292000", "tags": [ "infostealer", "malware", "FormBook", "keylogger", "arbornetworks" ], "references": [ "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "FileHash-MD5": 3, "FileHash-SHA1": 3, "URL": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386504, "modified_text": "3172 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "59c5592801e2b97e291a3cd5", "name": "The Formidable FormBook Form Grabber", "description": "More and more we\u2019ve been seeing references to a malware family known as FormBook. Per its advertisements it is an infostealer that steals form data from various web browsers and other applications. It is also a keylogger and can take screenshots. The malware code is complicated, busy, and fairly obfuscated\u2013there are no Windows API calls or obvious strings. This post will start to explore some of these obfuscations to get a better understanding of how FormBook works.", "modified": "2017-09-22T18:40:40.292000", "created": "2017-09-22T18:40:40.292000", "tags": [ "infostealer", "malware", "FormBook", "keylogger", "arbornetworks" ], "references": [ "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "FileHash-MD5": 3, "FileHash-SHA1": 3, "URL": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386504, "modified_text": "3172 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "0e2678f5d0173246c464a42aced9a6f5494e9f2619257ba7e468834e8708b726", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "0e2678f5d0173246c464a42aced9a6f5494e9f2619257ba7e468834e8708b726", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780170655.558011 }