formbook | 16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6 | Triage

Sharing

General

Target

file.exe
Size

626KB
Sample

221028-r5vyxafgg9
MD5

031281aa0667cba260ddad6f77c89ccd
SHA1

17b747e3e1de9296f862d522a9664046d2d3469e
SHA256

16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6
SHA512

f4715533c2f535964dc98f581887abc1a9daf68f913b9b316762ddf169b4209458fbeebed8173fca65c7d4732087bf0b0e4369fa440cebd45772d77559820ea2
SSDEEP

12288:bItKcNGvH3x+D0NDO6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGHS:bItK9H3xbJZlT+lQTD/O3BArRCHS

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Targets

- Target
  
  file.exe
- Size
  
  626KB
- MD5
  
  031281aa0667cba260ddad6f77c89ccd
- SHA1
  
  17b747e3e1de9296f862d522a9664046d2d3469e
- SHA256
  
  16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6
- SHA512
  
  f4715533c2f535964dc98f581887abc1a9daf68f913b9b316762ddf169b4209458fbeebed8173fca65c7d4732087bf0b0e4369fa440cebd45772d77559820ea2
- SSDEEP
  
  12288:bItKcNGvH3x+D0NDO6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGHS:bItK9H3xbJZlT+lQTD/O3BArRCHS
Score

10^/10

formbook henz rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookhenzratspywarestealertrojan