formbook | 1464b060a662f7629adb0bd7399a105e13fd6e8570180f7dc43636aad2b53c04 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

DG2b3P7hOHbJs2d.exe
Size

632KB
Sample

221102-e1c63shce9
MD5

3cbc50037c3bd685e6704ea938d1f470
SHA1

84ab9f936d59b4837821ea59217286caf6466e11
SHA256

1464b060a662f7629adb0bd7399a105e13fd6e8570180f7dc43636aad2b53c04
SHA512

5c226b552b18e73549b52ffc0687c14e46038e13e4d7c74e18acb2f7e7cb5dbca3b81a46bbc4f5df2ad4f51d0bc53008bae1b4e34d8035a0229d6901a700ab87
SSDEEP

12288:qwhuJDNjoEP/lfoHgjpuA3kIO8LayHHxhQvhzps7:xuJJ/oAoA3kN8eyHIs7

Score

10^/10

formbook axe3 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

axe3

Decoy

nV63ydJMXMf7memspIpnnVLl3Q==

uJ50rs5Y/80AqT79guHh

FcsTFQ1xekTgcal8G0P2ZTQ=

uLWWVJP++ID3dkoB8g==

YyoybGF5Fsa/UH8=

Tk4htwkBBfM5ZA==

QgJ8vN9f+uCdsD79guHh

wmjC9UuSBGyTrY5PAX9t1A==

Sw7JEwOKl576ndxw/A==

BOqs09Ikjej1BN98ZYtVfSi5xQ==

YA5cbH3/4wVAYg==

fRWIvatAXM3+t0X9guHh

FAbZXq/jFuaEq2YCwQh3b2oE

STL+RDTA652/tD/9guHh

zgLNcuX32aFB

WmgwW1UCJ/9Nc0ofkIhVyQ==

jiWgy9ckGh8G+3Q7Rl//NW9ZU7TU

JCoawiBkwAkeJOehkNXRCYnj3A==

WQDFZvang91P

zGrJ4CA2pAhR

Targets

- Target
  
  DG2b3P7hOHbJs2d.exe
- Size
  
  632KB
- MD5
  
  3cbc50037c3bd685e6704ea938d1f470
- SHA1
  
  84ab9f936d59b4837821ea59217286caf6466e11
- SHA256
  
  1464b060a662f7629adb0bd7399a105e13fd6e8570180f7dc43636aad2b53c04
- SHA512
  
  5c226b552b18e73549b52ffc0687c14e46038e13e4d7c74e18acb2f7e7cb5dbca3b81a46bbc4f5df2ad4f51d0bc53008bae1b4e34d8035a0229d6901a700ab87
- SSDEEP
  
  12288:qwhuJDNjoEP/lfoHgjpuA3kIO8LayHHxhQvhzps7:xuJJ/oAoA3kN8eyHIs7
Score

10^/10

formbook axe3 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookaxe3ratspywarestealertrojan

behavioral2

formbookaxe3ratspywarestealertrojan