formbook

General

Target

PROOF OF PAYMENT.exe
Size

24KB
Sample

220909-rnbhyagch7
MD5

7f99d249840dc2c5009b4771f887336e
SHA1

0a4de6946dca7444da62b7794bcb59e553108f0c
SHA256

fc15ab19130fccdae7dee477e0ae6d711fe3492cbac1b7e5d472eae4902f9516
SHA512

2dc950577ee4fa9b999d044cbb93aa365b13eb5a012633e7ec61410536790080c6c2f3be9f684ac3f11694b51d40d4732aa9975d91fd0c2b68c6e9d66a204237
SSDEEP

384:JwkCN7n8OIo3A12++XCCvcXEMA+7QEh2Fobm22:5CNz8OBnMA8R2

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

a520

Decoy

/gLFv8NVc2nqbYCCoHLJDBi+TWOu

sjwFU14OMEn7e45Z11ou

stKh65U2h0eAsE3C4do=

tk5xxHYnTytQmuXoUyhstM+PmMM3eNzI

VExtu7dXhpO5DVpouFRxSlhP

YdSW3s9Pg88HRHs7IfKVBk8dGis=

/LJ5vLk+mifRECHWQPfgWQ==

/4qc8tqSwrszxE3C4do=

e4IkI9v2EV+ertKMol1xSlhP

VlwmZCwqUvsUbriqC/RU8Hnh9yM=

o8+X4ZkxbmtygJJZ11ou

YPS3vnb0JRuS8CAOQ0OY2PG4s8U3eNzI

JT5iqFqVvyfGCDX2Httopp4=

2qeFp5QULYE4suWiry9MYFtH

6OaHllqHu+H49V0VCw==

c4xPnUPM8hW3Nldbq6j8X+iVlQ==

s0tmqKSyw0FK0vLpFZ1mX+iVlQ==

SWU1e3eTqiCzv8TIDAtus757e6k3eNzI

CcDlcuyGx8ZDyynuQjQLRg==

KNq19/KCns+bobJdXiXu9AK+TWOu

Extracted

Family

nanocore

Version

1.2.2.0

C2

amechi.duckdns.org:4190

Mutex

7766992d-5166-4919-9d26-1d114e11093c

Attributes

activate_away_mode
true
backup_connection_host
amechi.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-17T10:10:35.253943636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4190
default_group
NEW TRY FOR SUCCESS
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
7766992d-5166-4919-9d26-1d114e11093c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
amechi.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  PROOF OF PAYMENT.exe
- Size
  
  24KB
- MD5
  
  7f99d249840dc2c5009b4771f887336e
- SHA1
  
  0a4de6946dca7444da62b7794bcb59e553108f0c
- SHA256
  
  fc15ab19130fccdae7dee477e0ae6d711fe3492cbac1b7e5d472eae4902f9516
- SHA512
  
  2dc950577ee4fa9b999d044cbb93aa365b13eb5a012633e7ec61410536790080c6c2f3be9f684ac3f11694b51d40d4732aa9975d91fd0c2b68c6e9d66a204237
- SSDEEP
  
  384:JwkCN7n8OIo3A12++XCCvcXEMA+7QEh2Fobm22:5CNz8OBnMA8R2
Score

10^/10

formbook nanocore a520 evasion keylogger persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

NanoCore

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2