formbook | 89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6 | Triage

Sharing

General

Target

89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6
Size

387KB
Sample

221118-24kfwscb65
MD5

420f3718285fef98dcbb490383c40efd
SHA1

58b55c7c809e3e126c0985fd67fe1053f790924d
SHA256

89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6
SHA512

0fe09d790dfca15ca4e09b09499d7ccf5cba2bd552898df88e74700242f4d71c35306dfefc4896a1465df226a3e4909822d284e6da241405586e273a83221382
SSDEEP

6144:0Ea0MrcKg0tmqPCAUtQjt/+kuVnC0bdltM2qkF0stSDVhvLP0ZvXDPLyiO3t2v3S:mrMLArj5+kElJqBOwVhTPKvLmiOd2v3S

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Targets

- Target
  
  89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6
- Size
  
  387KB
- MD5
  
  420f3718285fef98dcbb490383c40efd
- SHA1
  
  58b55c7c809e3e126c0985fd67fe1053f790924d
- SHA256
  
  89e3278b4afa50ac135ccc101ee85abe02ef3d1150d8c270eb9936f45b29e7c6
- SHA512
  
  0fe09d790dfca15ca4e09b09499d7ccf5cba2bd552898df88e74700242f4d71c35306dfefc4896a1465df226a3e4909822d284e6da241405586e273a83221382
- SSDEEP
  
  6144:0Ea0MrcKg0tmqPCAUtQjt/+kuVnC0bdltM2qkF0stSDVhvLP0ZvXDPLyiO3t2v3S:mrMLArj5+kElJqBOwVhTPKvLmiOd2v3S
Score

10^/10

formbook f4ca rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookf4caratspywarestealertrojan