formbook | 37ad2a3bfe4e60fb4ad6f9edf3bd25602ebdbacf2ce429e96c3ec7b4213090e2 | Triage

Sharing

General

Target

NEW_ORDER_00041221.EXE.exe
Size

6KB
Sample

221007-sqrtdachhm
MD5

78715a3a620e1f4b1937a1bd7e764e57
SHA1

0b67de4eaccbfe16d41bedc538b2a64bffaecbb0
SHA256

37ad2a3bfe4e60fb4ad6f9edf3bd25602ebdbacf2ce429e96c3ec7b4213090e2
SHA512

b55a095194d506bd111fe9d93440ee97be0f9418256e839ee3ce892af1206711402c493bdbeca021d4187433c0f080febfa44451e03737c3ddf6f0b6c9ccd91a
SSDEEP

96:x+UKECqBC+bbhb4Lp5zV6ur8y2LnfoYYMxaDzNt:xgwHhcLp1V6ur+LfoYY5F

Score

10^/10

formbook gski persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

gski

Decoy

w4dqmeRbroucK1d6Rjoieflr

4aOmGT8hdudzUsv7ZSwieflr

3sTC4jMnhzX+pOJNTZ4=

JcH9cI2V8BEeA0eA

doY0NLSYANTXiHt9/fbsP706cA==

KhN1zCT4Nb5T//UnNQ==

y4/RV2RRqNEr0c4nzNWP

x8sfUpcmiXqxdfls0dSN

rlygM3RQmQ7DliRSBQUKpWJ/FuU=

s672RU9HtT3XWaTvdEidsoLRjZb5J5oE

uaT/Znv3O9WfXs8GBluj2Z2szeMP

QvElhI8JUPHBlRsjsodB5GmUzO0W

2uM5rt7BEpcswwJhDA8JnA8=

TDFfhORfvuRP//UnNQ==

MtPNDl4mh1dSxgZs0dSN

ejpoOLXE/Wa7zMwppl3JOt8faA==

8qPraI3lOFSrRmCSR4EnHQc=

+LOpAwtx0LfGnOJNTZ4=

wMQehpwddDxHII+rVCwieflr

8KPhZrjGG//aix1s0dSN

Targets

- Target
  
  NEW_ORDER_00041221.EXE.exe
- Size
  
  6KB
- MD5
  
  78715a3a620e1f4b1937a1bd7e764e57
- SHA1
  
  0b67de4eaccbfe16d41bedc538b2a64bffaecbb0
- SHA256
  
  37ad2a3bfe4e60fb4ad6f9edf3bd25602ebdbacf2ce429e96c3ec7b4213090e2
- SHA512
  
  b55a095194d506bd111fe9d93440ee97be0f9418256e839ee3ce892af1206711402c493bdbeca021d4187433c0f080febfa44451e03737c3ddf6f0b6c9ccd91a
- SSDEEP
  
  96:x+UKECqBC+bbhb4Lp5zV6ur8y2LnfoYYMxaDzNt:xgwHhcLp1V6ur+LfoYY5F
Score

10^/10

formbook gski persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookgskipersistenceratspywarestealertrojan

behavioral2

formbookgskipersistenceratspywarestealertrojan