formbook | 5644b2a6b24189d3ffd6e90413150e01dc160e33a062e158f0ef50e0bd02e310 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

DOC21AZ068G2022.exe
Size

258KB
Sample

221026-dvanbsefck
MD5

868608b7e90e467edba786effe32dfea
SHA1

6de62b0cd19ddaad25b80ced29d35d80410d1ca4
SHA256

5644b2a6b24189d3ffd6e90413150e01dc160e33a062e158f0ef50e0bd02e310
SHA512

c5e76faaafb27d519933f50c3d3961943c29fe3c7e59b125a5fd08eec7f6acdcfbc4071661dae1d2b63216b9a417f2fdc9c674ac03a20ba05a17a1b4e5f34100
SSDEEP

6144:mbE/HUbk4BzCq3T0yLj6tV/SnSUp36J6fPy0nqFm:mb/xPz/nN188lnqc

Score

10^/10

formbook axe3 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

axe3

Decoy

nV63ydJMXMf7memspIpnnVLl3Q==

uJ50rs5Y/80AqT79guHh

FcsTFQ1xekTgcal8G0P2ZTQ=

uLWWVJP++ID3dkoB8g==

YyoybGF5Fsa/UH8=

Tk4htwkBBfM5ZA==

QgJ8vN9f+uCdsD79guHh

wmjC9UuSBGyTrY5PAX9t1A==

Sw7JEwOKl576ndxw/A==

BOqs09Ikjej1BN98ZYtVfSi5xQ==

YA5cbH3/4wVAYg==

fRWIvatAXM3+t0X9guHh

FAbZXq/jFuaEq2YCwQh3b2oE

STL+RDTA652/tD/9guHh

zgLNcuX32aFB

WmgwW1UCJ/9Nc0ofkIhVyQ==

jiWgy9ckGh8G+3Q7Rl//NW9ZU7TU

JCoawiBkwAkeJOehkNXRCYnj3A==

WQDFZvang91P

zGrJ4CA2pAhR

Targets

- Target
  
  DOC21AZ068G2022.exe
- Size
  
  258KB
- MD5
  
  868608b7e90e467edba786effe32dfea
- SHA1
  
  6de62b0cd19ddaad25b80ced29d35d80410d1ca4
- SHA256
  
  5644b2a6b24189d3ffd6e90413150e01dc160e33a062e158f0ef50e0bd02e310
- SHA512
  
  c5e76faaafb27d519933f50c3d3961943c29fe3c7e59b125a5fd08eec7f6acdcfbc4071661dae1d2b63216b9a417f2fdc9c674ac03a20ba05a17a1b4e5f34100
- SSDEEP
  
  6144:mbE/HUbk4BzCq3T0yLj6tV/SnSUp36J6fPy0nqFm:mb/xPz/nN188lnqc
Score

10^/10

formbook axe3 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookaxe3ratspywarestealertrojan

behavioral2

formbookaxe3ratspywarestealertrojan