formbook | ae501526749f1e9348695e40b2bc662fa66a963acae5c0f42a5ef97c2ccf2652 | Triage

Sharing

General

Target

DAISY V.ECL1108W-PDF.cab
Size

839KB
Sample

220915-qemzyadbf4
MD5

163784fa3b7a520886cd9548d67a7ae0
SHA1

1c4c35df5b736392cde54c5ba0daa471cf749862
SHA256

ae501526749f1e9348695e40b2bc662fa66a963acae5c0f42a5ef97c2ccf2652
SHA512

6a0fabe6532cf09b30173efa7afed047e408632a0834e17297c8d524cbc0e30af6cc2abdab64b25339273fe3fb3c54dce706ed027b838947b01c1d22ed8feacc
SSDEEP

24576:hEi/SLh7L8qU18G7hWCX4gcilM9WptB0stPj51o:K4SLZZVChWC4ilJ90stjo

Score

10^/10

formbook gftl rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

gftl

Decoy

IjDMdEds4VxswkZohFOAqjKO4A==

l7rr2+HU1zJWktVfh6Mzwg==

P8/xwpTCEHqH3kZbtUdxyw==

u+MoBMODgtbuL4+47gY87Ql/o16iXw==

uMttvZVE5NJ6CYn/uVSzeO0=

0VdqQAM7kvsTXvA3UTeU9A3feTYymzZ5

IUTPCMp6QzzOa0qqFKf/

iaoNejxy8OKHSmW0VbzW213O

H7bDfR0MFX6Lj7z/lfhYK68VN701CFzpxg==

ut54jk4KGHebnFibsg==

1OI2T4W9D3l9ndv+JPwhKmnd/Q==

4uZg8GFjkiw/fw==

WXvoHrnqu6pKzkGrsI0=

TwAElWOdDLefL+g=

PK90+NoUkIQny7fZVfZGr/I=

0dN0ukewQtepO/A=

vd9RilQcHRyE1/oT

PrfTkyENAqjGGpK6ug==

tMMioKIetj1VqCZjtUdxyw==

SCOEUd6QE9o=

Targets

- Target
  
  DAISY V.ECL1108W-PDF.exe
- Size
  
  1.1MB
- MD5
  
  93e57450c90b6912c657fde7b76ed1db
- SHA1
  
  ae39be063eebbd6d318dd312c5bd82e87555be73
- SHA256
  
  6f12615981ea5f427f54ef352f8f2c08bc2accdd0102fd65cf3a0f645daa21bf
- SHA512
  
  e87811eee759aa3abeda2cc5d248bc129b1f5ccc091ec3312f5514cd174b95bd21316f649f6babbd0641e5d87047d239b044d7d7a640fc5097a874e9f5c5df2f
- SSDEEP
  
  24576:aYFhmyryU1xr7hWeXjBcM1M9Yp+J0stPahm:aYFsdAnhWeqM17w0sFahm
Score

10^/10

formbook gftl rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookgftlratspywarestealertrojan

behavioral2

formbookgftlratspywarestealertrojan