formbook | af38ed65e2180fd0e6327d2615acf72e514577fbadfdde7d8f6d5b5d0eaf8740 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

5.exe
Size

16KB
Sample

220915-qw18wsdcb6
MD5

209cd0d408d821f807779a8302fc665b
SHA1

f822179aa935735dd2d815b86f47f0881f4f7b11
SHA256

af38ed65e2180fd0e6327d2615acf72e514577fbadfdde7d8f6d5b5d0eaf8740
SHA512

7ba14528bb8b2e03a8a501d0e20318de2390a27f7be475cd4a3382665b7bf294615c23d3d6c9b61797eaf331aac21c48a394bd9963f02d3eaab9a04ee18b71aa
SSDEEP

384:feruGi1pbpN4zpreA9Lna27T3A0iJj+9:feC/pUvhnR+a

Score

10^/10

formbook remcos remotehost hqbo collection persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

obologs.work.gd:4044

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-F9UER6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

formbook

Campaign

hqbo

Decoy

mwc6l86PJPZCD9Gt0q391w==

h8WuFPEOFmGLG1Q=

7dt6icaDMSJXNKQRxmsc

VCPQuBGfPDQ74U/hUBcSJRSrwF0=

wespuyTDPCBIysXwj4/23w==

qJYwD3wmybIoqYGP6GoU

N9H9UYIs27f3w+D5j4/23w==

ZDeOOF0sDqq2x+jq

jAZ9j/SZVUuJTK4Rxmsc

syg3zEQb0sUwxTTi

0F23IFLzE2AL2twRDObSkE8=

dpC9Ta1LZLCPptrveCsXkYeT

Z3uaQFxP3gc89j71

e5i3FoJZ48LqdoGXXA==

KIuwBF4KZnpdVw==

oCqfe+J14bIwxTTi

ICIFWLyScNx5Ug==

d/sqxzgYSyaNJVU=

2/UghriHtprPTURW3595e68NMJLPos4=

pEfdvFgCbU5jImqCXg==

Targets

- Target
  
  5.exe
- Size
  
  16KB
- MD5
  
  209cd0d408d821f807779a8302fc665b
- SHA1
  
  f822179aa935735dd2d815b86f47f0881f4f7b11
- SHA256
  
  af38ed65e2180fd0e6327d2615acf72e514577fbadfdde7d8f6d5b5d0eaf8740
- SHA512
  
  7ba14528bb8b2e03a8a501d0e20318de2390a27f7be475cd4a3382665b7bf294615c23d3d6c9b61797eaf331aac21c48a394bd9963f02d3eaab9a04ee18b71aa
- SSDEEP
  
  384:feruGi1pbpN4zpreA9Lna27T3A0iJj+9:feC/pUvhnR+a
Score

10^/10

formbook remcos remotehost hqbo collection persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookremcosremotehosthqbocollectionpersistenceratspywarestealertrojan