formbook | 5bb96d0e0036475868552414f3645cd7bd779629f1c9ffdbb5da32af26fd641f | Triage

Sharing

General

Target

PAYMENT FOR PT1098.exe
Size

807KB
Sample

221122-kw59ysbd7z
MD5

e78a007b4a9befa903f31bc219bcbd75
SHA1

c8f9c31c70aa6a20dc7e20a909e23c2672af9014
SHA256

5bb96d0e0036475868552414f3645cd7bd779629f1c9ffdbb5da32af26fd641f
SHA512

65fd00bf0bfc4a13bef52a98beff89c68859d0fe21477476932ef9a2841f2ba5a3acf69f1ef5766eee2277a8b8cacf36f745c0555c11358bd2c680b68e47259b
SSDEEP

24576:Wr18+L74mBfNUstzo38/JY7xki2xTq1r3r8JN:WrO8/JYlDI

Score

10^/10

formbook 06eh rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

06eh

Decoy

LFsv6dX2ii6R8OphWwptZ9Uy+geJcQ==

F2g1Ra3riiwsEeceZ+kPoyzVyQ==

m7+bOE66nh10jg==

Dyb/VMcRh6yNuvVNwJjlrzs=

3yNAvKD3bmuj1Q4=

K7hi/htWsKfW6xc=

sqpSY7/gcvvY0tm0tWucCg==

LnSqfZJAUour0Qo=

Il4dO5W4JE9OlQYNbHc=

LUYTY9QKZHZPe74hTaa/ljM=

Qg6iySJSuuTgNcboVm4=

SJkvGoebIdDEsJn9AI7yPbNK

DKBLqQM7m6oaUKM84/sIFQ==

GOOzpszYDX9lkuZQ5pmdrDDeyg==

V5064wgZl0G1DxNTv5jlrzs=

Onlr5MMHSXuH/91V

oddlSLzpBTyiCAtcvmSS

ITsUV4Gw/mkWaGLjCHs=

HqWBQYO4SQBinnio6GmL

tDrGMY3MC5e1KdgFRw==

Targets

- Target
  
  PAYMENT FOR PT1098.exe
- Size
  
  807KB
- MD5
  
  e78a007b4a9befa903f31bc219bcbd75
- SHA1
  
  c8f9c31c70aa6a20dc7e20a909e23c2672af9014
- SHA256
  
  5bb96d0e0036475868552414f3645cd7bd779629f1c9ffdbb5da32af26fd641f
- SHA512
  
  65fd00bf0bfc4a13bef52a98beff89c68859d0fe21477476932ef9a2841f2ba5a3acf69f1ef5766eee2277a8b8cacf36f745c0555c11358bd2c680b68e47259b
- SSDEEP
  
  24576:Wr18+L74mBfNUstzo38/JY7xki2xTq1r3r8JN:WrO8/JYlDI
Score

10^/10

formbook 06eh rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbook06ehratspywarestealertrojan

behavioral2

formbook06ehratspywarestealertrojan