formbook

General

Target

payload.exe
Size

185KB
Sample

221018-yzmhxadee7
MD5

14382242e215d139c77c0ee9bb0c7ad6
SHA1

3951322a28787e4757fd3715d518103d6c054960
SHA256

5017913bca4c5c1eaf5646e3983f9d8fc4e52f4a66406f46f3029952ae1fde70
SHA512

1f4eef4d4685ca466702b45fa163e31089c031d2c491b4a14279bf28cba64a1aada928536df2970399510c4efb093ab08c7a05f0223fde66e751e20c26e07a4b
SSDEEP

3072:yXoVNpuuK+ArjKxjCpZomp/04AkJmHrwF8gUdSl5xCZqnr/xA3unPu:bfp5SZow/04tUuUdeSqri3gu

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

knnt

Decoy

65SBubRb0cQTZyel+RrmtuIytWG7hIY=

lxY8gZLYuXPYl40/

IBCcbQLOUkWVL3cA/DkK2ei+vuKlXA==

4Lo6dar405m4hxqWl58sOc0=

4KyQBqNrzYWTI6Iv016m7BZVvuKlXA==

PyCmasPI0Lj0JTU=

hnoGNwDmybXus0PVH2S1Td2l0ZTJ

s4CRDagqgmaCo9bOBD4i

T5IbS3G46ZbN8RncbsWuAiWl0ZTJ

2vxQ/T6e+7vkjz9yriaOpBbO8bYapwAu

55558Jha4dgR7PCZrQ==

O9KAFJVY3c4V1Xi2rEGne4ZMtSY=

ZPih22lkYU3Yl40/

mCc1tbkLsWeH

MpbgOtnQvGu9jQ==

D6uAq4Gdj3UEkzmKkCOIW4BG

A3rp8NpDzp2Q

4WMaDz2Ff26SfX5xEaABgk0WTQ==

G16+qE5AFMf20h0PxfsyLIZMtSY=

az44qCVNL8dm2vG/nuEbI3K46HT5K44=

Targets

- Target
  
  payload.exe
- Size
  
  185KB
- MD5
  
  14382242e215d139c77c0ee9bb0c7ad6
- SHA1
  
  3951322a28787e4757fd3715d518103d6c054960
- SHA256
  
  5017913bca4c5c1eaf5646e3983f9d8fc4e52f4a66406f46f3029952ae1fde70
- SHA512
  
  1f4eef4d4685ca466702b45fa163e31089c031d2c491b4a14279bf28cba64a1aada928536df2970399510c4efb093ab08c7a05f0223fde66e751e20c26e07a4b
- SSDEEP
  
  3072:yXoVNpuuK+ArjKxjCpZomp/04AkJmHrwF8gUdSl5xCZqnr/xA3unPu:bfp5SZow/04tUuUdeSqri3gu
Score

10^/10

formbook knnt persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2