formbook

General

Target

9ab968a8880c264f9c425ad3595650fe
Size

808KB
Sample

221006-y8xegaaed3
MD5

9ab968a8880c264f9c425ad3595650fe
SHA1

7c4807007c9bf04cffe654cf81b453f2bc164175
SHA256

05cc8314e613ab92484b4cc0cf78ecad96f36d5bfffa8e9bf1188cfb06efa177
SHA512

84e1375ec5e774797bb1eafb6804ddec816875b05640082d2e55ddf47939c1338f7a077a61180f5d8eb2ec5f3c381f6d10c184693d78eea3ee718835a2c04d6b
SSDEEP

12288:/uJOu+1c7Oa4orcO2Z79zjsXl2I6EKJC9xj5WE0onXZ/8yXBMFpuaFwvuuXvliBN:/usZa4orG9zjsYIb/XbJJ23uaeNXNasK

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

r83r

Decoy

dF1arqf0q8jqGHpo

3s5obdLT/D42OkXYzXA=

MY4GqPg1TNBZiXEkrsyhlycGUN24oOaU

wKsmWEGSmhvRwo4=

jXeqRbgNrXzVBjEkt+Ircn8q8uqLRxB04g==

kWzwCGp3hZyQemHg2Ho=

vlaarHzH3YTtXSLeyQ==

LSNL62SxS36qDZBx

QzB7kGyuEkIf

AFmNF5DlgUzZjArFIxovHKlaz9E74po=

C/cWvSksOW1y2Gdi

5FdJf9GEwRvRwo4=

szFiiGFq8ubjqCPe/ChZC0g=

AWObGX3KVG9bBtWG4Mu5

80uIK32XLmNVA4xryvpajNA0

10WHLY+Nqu3Pkw/cKRD3Y6pVG8jd

kW/9OTF2FgXkki8UJM8K1vSogA0XnQ==

mAtF/lLM2RvRwo4=

VNFX6OUCoH1rU0XYzXA=

qAdGBejjez+ZCfPo0A==

Targets

- Target
  
  Ref8810998235 Auto System Generated Order Form 051022.exe
- Size
  
  920KB
- MD5
  
  7bf0c2ef33695a76ec7cf8b489cef20d
- SHA1
  
  0aaced5986e6dd808ce1128233407d6db7331206
- SHA256
  
  832ba5363bd145bbcc01871bf79726fe7d4cfe90d9f93d9cca64598887c91d38
- SHA512
  
  31fa2a2a84ea1474b0f1182d1f6ca8b687c29a5246bb58941c86604065e8ed8bb7e49ef41ab84b5f41078fe82f384eb87ead21ee527c0091dd06b79f1ad64cce
- SSDEEP
  
  12288:oPCJRz6sid7VycOInfQcbD5+6eAPxB4PWbRdxk4ve:qk6/d7VycpnbI6eWxB68de4ve
Score

10^/10

formbook r83r rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2