formbook

General

Target

DHL Express Duty Charge, AWB & BL.exe
Size

580KB
Sample

221123-jn9fzafg88
MD5

53f6cb13cf941ca18bc398d32f845579
SHA1

a09d0166e26b59e01d8f9314c98534adcb6de340
SHA256

12748aea84778652c1b2fef43117bdb42de3061f4a4376927ca27154cce42013
SHA512

c272cc3432ad0ed6946fb6c95a9e76842f605b66096bfc86203245176e460494ed670f718110468c9c71957dcd29d66006b7738e40e951cb06f9c762234c2494
SSDEEP

12288:isDRL2aOfokSwTh/TCu3SCfn1YD9wj0lmbPOFh7HuTO:DJOfo9+8VCfn89QPOB

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

h8t0

Decoy

pX0T7fJ5SmBsroaYtF/qyNlKtSA=

S2NpcYsZ0sMKKsWw

InTDrCxX1GVhp7fzmK8=

mH5Ax6r2GyAh

GYKFkKD2GyAh

TyWptjZgzlzNV0Y2PtM85dlKtSA=

D/V0extZ3I/PVr6mCqGNazBB

xik8B2uLuILxdg==

oohXUF/7tHGxQs42SvIo+64=

7W/2B7CoqOEfY3WqCw==

SKW3c0DvmA991EE=

dx1jYxAG+T9YaOxctM5OqQ==

uBwqzYUt3KHNKEI1Oq/2tV4UUQ==

HkhDv2iluILxdg==

O8ca/3Z0p/xD0dc9jwgr2g6oorw/DA==

CdVTZwxFv2LSRyckeO1Uvg==

UaO+if0kiQ0HHe29lwaEIv+morw/DA==

wB5RfRm6wFunIVY=

UvpBQ+Ucf97/PRGJm4v8

s86lipNDSIu9D/IqkUIhHGUMTA==

Targets

- Target
  
  DHL Express Duty Charge, AWB & BL.exe
- Size
  
  580KB
- MD5
  
  53f6cb13cf941ca18bc398d32f845579
- SHA1
  
  a09d0166e26b59e01d8f9314c98534adcb6de340
- SHA256
  
  12748aea84778652c1b2fef43117bdb42de3061f4a4376927ca27154cce42013
- SHA512
  
  c272cc3432ad0ed6946fb6c95a9e76842f605b66096bfc86203245176e460494ed670f718110468c9c71957dcd29d66006b7738e40e951cb06f9c762234c2494
- SSDEEP
  
  12288:isDRL2aOfokSwTh/TCu3SCfn1YD9wj0lmbPOFh7HuTO:DJOfo9+8VCfn89QPOB
Score

10^/10

formbook h8t0 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks QEMU agent file

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2