formbook

General

Target

tmp
Size

247KB
Sample

220910-hm497ahga7
MD5

5e822f4a547b3c11badbf4e7c32855b6
SHA1

1095d99f92c01e305a4ead8bcfa57e2a3e60e881
SHA256

86369d60c9f6b68598952379aaa9b0d3b7af84294b4aece68359552287d3456f
SHA512

d1f64cf86427ab3d343784f8a018d80936d66f4a14d2f8db7023873860674320ddaf7dc708214af1473aad2c9b3565ed5d7d874c2098a0cb8db30878375765fd
SSDEEP

6144:Lx8KOdzOqfSK533Uaz42DfXT/D3WRJXhHy5ieqYJAMxFMc:iLZO6XPDrbmFHy5iuDMc

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

gaut

Decoy

m/ZR+vHGTDi5P5eTKQ==

y1XAmIYf5EzN

xVq5NSIqz73FP5eTKQ==

hrD4XrgTHJ0ScgcArZH5eA9JF1Q=

Zy9FBBtKzJ8=

HGDRVLwqPdfEtsmcmW5R

qLoe4zopNK4IP5eTKQ==

FdgV1Ibo3jx9UQBu12dZ

sjKaYyBpvvcrc7toRRfH6Zk=

E70OnlWsKQmj/hMCqUNttB63

ymTWgpOIM1hdNQK/POA=

ZSNYFV6Sa8TvtzM13amZyokJPA==

ona6eKhy/+zi8nF4IQ==

TNYRkIZh5ro7ftmG+qKMyokJPA==

GT6ooWK2RDeNxvekcYtrzzgISoiI

77gExgr5torzaLRtTRfH6Zk=

ejZ0wrGEHSobarU=

Zc4LuNnIbmrB/zXdTw31UKxeAqf84UTz5g==

i0u2PCY1XLkEP5eTKQ==

ytX4PjpCafwQugCvIKKMTUsISoiI

Targets

- Target
  
  tmp
- Size
  
  247KB
- MD5
  
  5e822f4a547b3c11badbf4e7c32855b6
- SHA1
  
  1095d99f92c01e305a4ead8bcfa57e2a3e60e881
- SHA256
  
  86369d60c9f6b68598952379aaa9b0d3b7af84294b4aece68359552287d3456f
- SHA512
  
  d1f64cf86427ab3d343784f8a018d80936d66f4a14d2f8db7023873860674320ddaf7dc708214af1473aad2c9b3565ed5d7d874c2098a0cb8db30878375765fd
- SSDEEP
  
  6144:Lx8KOdzOqfSK533Uaz42DfXT/D3WRJXhHy5ieqYJAMxFMc:iLZO6XPDrbmFHy5iuDMc
Score

10^/10

formbook gaut persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Adds policy Run key to start application

Blocklisted process makes network request

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2