formbook | 0f8f203e0b21e34ad21c3e762dbae4c4c7b158624a5f805ebf19e8ba05c76e5d | Triage

Sharing

Copy URL Twitter E-mail

General

Target

documents.exe
Size

895KB
Sample

220909-f25s6agee6
MD5

b3ca9cf9577c0e5017f469c2f685559e
SHA1

c16ef4ceee9c450225c29ef355500032f318b2a5
SHA256

0f8f203e0b21e34ad21c3e762dbae4c4c7b158624a5f805ebf19e8ba05c76e5d
SHA512

22db7872c384730b92a8cf692ddff60427de464ec875feaab13a3d7940109462c6daf844fe66da1978e3a6c6d12bad0e5cf2dd7b54f928924364ebef569614d9
SSDEEP

12288:ZRNd8x5nrx3ZniTkS2Z88VsXF0WrfN2671Mxf89YJRVo:Dn8zrxVCkfFGNj71sCYJ/

Score

10^/10

formbook ejgp rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ejgp

Decoy

+0NM3RekW0bfgQ==

iQmI3Aw2aoOljoA0XZi1

5Ei2CVwQyOgZwV/u4eiMFdKqc84=

ImSvoul9o0reZ9TKUAUkXgw=

kuCrMIco5vT3sxCUQ+pYsVoG7Q==

btgpLo8XM+qHGLzoizgjRg==

fqK2iM5vW0bfgQ==

ObS1UE+TByKRZozamdULr0naXbKPLA==

bcohBkmNNcpp3gJ/XE2/mBs=

yY5b/cLb3+0llg==

GVEVqBNXl7Kic2Sm

Tqpt2tTlW0bfgQ==

eurYRI7UFDBjDbzpIJKz

7wwDuczemAaJNrrpIJKz

bprQyLvLEj+hhMLHHg==

qdoAqq/XOjh0ItzLLJpHBgxoJgM2

gr5SnMA66BpM8+hUM+iawNKeZsQ=

XLoO6yFTsdNuEYpUPfScwqXEk7dqBnU=

vS2Cjfg0tqBF1GpuHemLV8/g4wUwPspS

U5wqXJjP/u/qg3sE+YKsgVVByFw+

Targets

- Target
  
  documents.exe
- Size
  
  895KB
- MD5
  
  b3ca9cf9577c0e5017f469c2f685559e
- SHA1
  
  c16ef4ceee9c450225c29ef355500032f318b2a5
- SHA256
  
  0f8f203e0b21e34ad21c3e762dbae4c4c7b158624a5f805ebf19e8ba05c76e5d
- SHA512
  
  22db7872c384730b92a8cf692ddff60427de464ec875feaab13a3d7940109462c6daf844fe66da1978e3a6c6d12bad0e5cf2dd7b54f928924364ebef569614d9
- SSDEEP
  
  12288:ZRNd8x5nrx3ZniTkS2Z88VsXF0WrfN2671Mxf89YJRVo:Dn8zrxVCkfFGNj71sCYJ/
Score

10^/10

formbook ejgp rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookejgpratspywarestealertrojan

behavioral2

formbookejgpratspywarestealertrojan