Wednesday, August 23, 2023

Quick Malware Analysis: 2023-07-11 Loader-based Formbook Infection

Thanks to Brad Duncan for sharing this pcap!

We did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can install Security Onion 2.4 in a VM and import the pcap as shown here:

The screenshots at the bottom of this post show some of the interesting NIDS alerts, metadata logs, and session transcripts.

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

To learn more about Security Onion, please see:

Security Onion Conference

Our 10th Annual Security Onion Conference is coming up soon! Reserve your seat today! Last day to register is September 29!


Do you want to deploy the new Security Onion 2.4 to your enterprise but need training? Our first 4-day public training class on Security Onion 2.4 will be in beautiful Augusta GA as part of Augusta Cyber Week! The class is at a very special price AND you get a free ticket to BOTH Security Onion Conference AND BSidesAugusta! For more information, please see:

Security Onion Solutions Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

More Samples

Find all of our Quick Malware posts at:


Overview Dashboard:

NIDS alerts:

Drilling into the "ET USER_AGENTS Microsoft Office Existence Discovery User-Agent" alert at the bottom, we choose the Correlate menu option to see all correlated alerts and logs:

Pivot to PCAP:

Switch to ASCII transcript:

Going back to Alerts and correlating based on the "ET POLICY Possible HTA Application Download" alert we see:

Pivot to transcript:

Going back to Alerts and correlating based on the "ET POLICY PE EXE or DLL Windows file download HTTP" alert we see:

Pivot to transcript:

Example transcript for "ET MALWARE FormBook CnC Checkin (POST) M2" alerts:

Example transcript for "ET MALWARE FormBook CnC Checking (GET)" alerts:

Metadata overview:

HTTP GET and POST requests:

DNS lookups:

Interesting file transfers:

SSL/TLS logs:

Connection overview:

No comments:

Search This Blog

Featured Post

Security Onion 2.3 has reached End Of Life

On 10/6/2023, we announced a 6-month EOL notice for Security Onion 2.3:

Popular Posts

Blog Archive