formbook | cfe210ae906aaa82fdf2bf3879af8f271897e5497c285140d1ca130b38936982 | Triage

Resubmissions

19/10/2022, 07:23

221019-h7v71sfab6 10

19/10/2022, 07:19

221019-h5z37afaa7 10

Sharing

Copy URL Twitter E-mail

General

Target

vAsA7v93dCn2vOg.exe
Size

1.1MB
Sample

221019-h7v71sfab6
MD5

b66e3047c2dd35c5f477b29c12bf8499
SHA1

bda916b26b30ede5e2817c736afbc54cf06cc2b7
SHA256

cfe210ae906aaa82fdf2bf3879af8f271897e5497c285140d1ca130b38936982
SHA512

5ba8b8d10408bfce85c2e84d90f6f4e99195d1da14f6d76343e10c6de3144a4ff10d07f82bbac8588e048bc6f56fd00fd1a1d60f14d557f0051f49bb418f7938
SSDEEP

24576:8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNuss8qAb+RWK:QqAqRWVg35/qroFdj

Score

10^/10

formbook axe3 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

axe3

Decoy

nV63ydJMXMf7memspIpnnVLl3Q==

uJ50rs5Y/80AqT79guHh

FcsTFQ1xekTgcal8G0P2ZTQ=

uLWWVJP++ID3dkoB8g==

YyoybGF5Fsa/UH8=

Tk4htwkBBfM5ZA==

QgJ8vN9f+uCdsD79guHh

wmjC9UuSBGyTrY5PAX9t1A==

Sw7JEwOKl576ndxw/A==

BOqs09Ikjej1BN98ZYtVfSi5xQ==

YA5cbH3/4wVAYg==

fRWIvatAXM3+t0X9guHh

FAbZXq/jFuaEq2YCwQh3b2oE

STL+RDTA652/tD/9guHh

zgLNcuX32aFB

WmgwW1UCJ/9Nc0ofkIhVyQ==

jiWgy9ckGh8G+3Q7Rl//NW9ZU7TU

JCoawiBkwAkeJOehkNXRCYnj3A==

WQDFZvang91P

zGrJ4CA2pAhR

Targets

- Target
  
  vAsA7v93dCn2vOg.exe
- Size
  
  1.1MB
- MD5
  
  b66e3047c2dd35c5f477b29c12bf8499
- SHA1
  
  bda916b26b30ede5e2817c736afbc54cf06cc2b7
- SHA256
  
  cfe210ae906aaa82fdf2bf3879af8f271897e5497c285140d1ca130b38936982
- SHA512
  
  5ba8b8d10408bfce85c2e84d90f6f4e99195d1da14f6d76343e10c6de3144a4ff10d07f82bbac8588e048bc6f56fd00fd1a1d60f14d557f0051f49bb418f7938
- SSDEEP
  
  24576:8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNuss8qAb+RWK:QqAqRWVg35/qroFdj
Score

10^/10

formbook axe3 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookaxe3ratspywarestealertrojan

behavioral2

formbookaxe3ratspywarestealertrojan