formbook | 3eacbab11c9f00e94b06ad4feaf37264839faaddb10f611207ae44a460b5b6f6 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.19862.1158.exe
Size

382KB
Sample

221025-qqnevacgh2
MD5

01ea499cc03c239b5a76e6bb41ca0a42
SHA1

78ab722e5695931698e73fbd4b2f3ebbdf6c3967
SHA256

3eacbab11c9f00e94b06ad4feaf37264839faaddb10f611207ae44a460b5b6f6
SHA512

7ffd52908f28a1329c1a068601266af874ed19535809e4abc09a043eb4997401976ba2d1ba2678739508e51df0c91497f5323ea5afe13d62eadeb1d90a43bbd5
SSDEEP

6144:NweE09eX6KKKKKKJEKPMlGWj6C/o1hEMRyjdvbU5R+3zFe6I1dsog6o:aX6KKKKKKjPMltj6rUjjERWehds6o

Score

10^/10

formbook k056 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

k056

Decoy

I6ZtzMO4tX+tliE+qt4=

qXwc4gD7yggogn987j5wQsZnc+OhAVE=

nwnBB5b4yZzLwpZtMajutbGT

OPq8wCLHoBNRnmK+wxBDDw==

bTzuol7JkFaHt0Yjm9w=

RVb6jJxpFYSv68mTCxmjAR9EpZc=

gJYxuLCQJ8jpICAakIj5TRIz5d5nAg==

YcNluGLPr6riqCE+qt4=

7tJ2VmdlX7vg97aPDEVtyjjliIg=

oogs8ATrvjR2wK2SEURppMapY0aGKC/Z

rZNRJ05YUdcJNQHYg35h1DjliIg=

fKhsEh/trUJtfzCdkKnAf7g=

RErWQtoPxr3ZgDwd53Sg8K4FuyAbCg==

WmD0j56Vdcb7lWh/svwB

O03oaGRYI2eaNCKTl1KYpv9vXA==

mx7bLs05CuYL16R6NqzutbGT

kNZrspSqg1uq7us=

NyrglqmvhbYmdlnR0J0J

byKycKqcY9f9aQaIyg==

4apJHpfrlofCi0osmHfCAXkglo4=

Targets

- Target
  
  SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.19862.1158.exe
- Size
  
  382KB
- MD5
  
  01ea499cc03c239b5a76e6bb41ca0a42
- SHA1
  
  78ab722e5695931698e73fbd4b2f3ebbdf6c3967
- SHA256
  
  3eacbab11c9f00e94b06ad4feaf37264839faaddb10f611207ae44a460b5b6f6
- SHA512
  
  7ffd52908f28a1329c1a068601266af874ed19535809e4abc09a043eb4997401976ba2d1ba2678739508e51df0c91497f5323ea5afe13d62eadeb1d90a43bbd5
- SSDEEP
  
  6144:NweE09eX6KKKKKKJEKPMlGWj6C/o1hEMRyjdvbU5R+3zFe6I1dsog6o:aX6KKKKKKjPMltj6rUjjERWehds6o
Score

10^/10

formbook k056 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookk056ratspywarestealertrojan

behavioral2

formbookk056ratspywarestealertrojan