formbook | 10df8c533f48189e56d16dd5d04d838f592cfe8d6c1690fe29454ec308c6e12b | Triage

Sharing

General

Target

Order Specification-887762.exe
Size

742KB
Sample

221003-hsnjmacda9
MD5

03c2f941af8cede493cd177fbe9cea96
SHA1

f811f24a5bb048e5aaec2e7456bb6597c2408359
SHA256

10df8c533f48189e56d16dd5d04d838f592cfe8d6c1690fe29454ec308c6e12b
SHA512

2a71ef2dd5bfdad6a167a9b1c735e256cd6775614fe672e3e18a858fad87542b6c136383d5aff0d95739a496fb94d9b0ccf70cfa4903d8b5e81550628fe53b0c
SSDEEP

12288:1Ov5jKhsfoPA+yeVKUCUxP4C902bdRtJJPi+FqA/vJ1saEauZDa+:1q5TfcdHj4fmbv9VEzNr

Score

10^/10

formbook qghw rat spyware stealer trojan upx

Malware Config

Extracted

Family

formbook

Campaign

qghw

Decoy

xChQ23PgpSUcmpWLjuMuslhaM2JdOQ==

CW+fAqYA5jJmTUxKVCQtWo1M

2u+t6sYq3/El6wWQxrs=

X3CmNeyJR1gJ5UMD3zpr5ohLoprqKQ==

ig3FIEYxGixd

MLrqHMXkW6KgchF/zKw=

bFYIVkZg4yrqh1hU

W7nhL9Qzxgt3I14NUA==

RKzPUex3O7zImhsRl7sCLNE=

88SwOgQ5uheBI14NUA==

WTPEFO8WoVpu1hF/zKw=

l+D4dxIxsP9svRvT3XJ6rg==

ChLG86LRTZ8FuJpTi+TvYUs8ag==

TiG7RPiVV19GVEhJ

tReJEdUq4Oycdve2e1i6qw==

NJTJ54zHSaCiq8HXRw==

+H696YbukBW/km8p8coWYUs8ag==

rcDAPOhzanyGY753Op/aSnDvRuDL

GgbAVAacXGBGVEhJ

BtZzBcIBhp7mujAcm7sCLNE=

Targets

- Target
  
  Order Specification-887762.exe
- Size
  
  742KB
- MD5
  
  03c2f941af8cede493cd177fbe9cea96
- SHA1
  
  f811f24a5bb048e5aaec2e7456bb6597c2408359
- SHA256
  
  10df8c533f48189e56d16dd5d04d838f592cfe8d6c1690fe29454ec308c6e12b
- SHA512
  
  2a71ef2dd5bfdad6a167a9b1c735e256cd6775614fe672e3e18a858fad87542b6c136383d5aff0d95739a496fb94d9b0ccf70cfa4903d8b5e81550628fe53b0c
- SSDEEP
  
  12288:1Ov5jKhsfoPA+yeVKUCUxP4C902bdRtJJPi+FqA/vJ1saEauZDa+:1q5TfcdHj4fmbv9VEzNr
Score

10^/10

upx formbook qghw rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

formbookqghwratspywarestealertrojanupx