formbook | bd8b30254ce1d23baba8b52511a03859a95e759af99a7786b5c9ad9da6d15da1 | Triage

Resubmissions

18-11-2022 18:24

221118-w112ksbd44 10

18-11-2022 18:17

221118-wxa1zsfb2w 10

Sharing

General

Target

tmp
Size

377KB
Sample

221118-w112ksbd44
MD5

380689c77c0e774a6eacdc773283fece
SHA1

0ff5ecc5efbf9515f785b04b611a9f96e7647548
SHA256

bd8b30254ce1d23baba8b52511a03859a95e759af99a7786b5c9ad9da6d15da1
SHA512

25ef7f5670b93d4af0aaa55c0b3d639e4fab73984e97c615bca34024dccbabc9afae0be1a2267d111c8b82defb9178f95d79bb76723d0a5483589f558e5faa05
SSDEEP

6144:MEa0NRBZNlii7YmnVEXV6ZreY/lwPSiJQcodpV0RnVBnVH9Wej4KHb8Cayf+/mAq:XRBZNv7Y4VaVa/mP3SGVBfWywyfcpisU

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Targets

- Target
  
  tmp
- Size
  
  377KB
- MD5
  
  380689c77c0e774a6eacdc773283fece
- SHA1
  
  0ff5ecc5efbf9515f785b04b611a9f96e7647548
- SHA256
  
  bd8b30254ce1d23baba8b52511a03859a95e759af99a7786b5c9ad9da6d15da1
- SHA512
  
  25ef7f5670b93d4af0aaa55c0b3d639e4fab73984e97c615bca34024dccbabc9afae0be1a2267d111c8b82defb9178f95d79bb76723d0a5483589f558e5faa05
- SSDEEP
  
  6144:MEa0NRBZNlii7YmnVEXV6ZreY/lwPSiJQcodpV0RnVBnVH9Wej4KHb8Cayf+/mAq:XRBZNv7Y4VaVa/mP3SGVBfWywyfcpisU
Score

10^/10

formbook henz rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookhenzratspywarestealertrojan