formbook | 2e67fc9621c2da834965d57296fa32223b766d5a99f0aeae7b904f5d5a010529 | Triage

Sharing

General

Target

2e67fc9621c2da834965d57296fa32223b766d5a99f0aeae7b904f5d5a010529
Size

227KB
Sample

221123-ltke5sff8x
MD5

93e23223ae438e4a7121113f110197cc
SHA1

a90f2a455bdc7cd6e97533e2912ef39df04064cd
SHA256

2e67fc9621c2da834965d57296fa32223b766d5a99f0aeae7b904f5d5a010529
SHA512

939661dc1e5146102767a817bc5b3d92c134a24b2984ab425a43cb14b0a293662b3a8f649755de0b285641255fca6a55affc8ed410bd8c4330e5abe40d5c187c
SSDEEP

3072:531l0kRthc9zH+hzgvCyrZRhvjdmTCzV2Z9zle7xWTm2mu/f+0vqlz4EgAY6MVLo:531ukjhc94ytX3zMg7xkd+0v96cLsfB

Score

10^/10

formbook nf35 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nf35

Decoy

tBnrD3YKFOOZL5Y=

iDWqMmvFXWdPjwrVyg==

Mi+2XYdTddDZjOFylYbC75w=

0CngqOrR1wIPvRDlxffi5ow=

0A/A3EXbosXuAiXn0w==

B/vQ9VhlqkveYLN3WSyC9KhVaVLC

jDG6d+p8NVnbSKM3k9X49qKGmmA8rOg=

D0Ph2f5O/+Ubmg/nyg==

Virrs5Ryq0nmaeTXw9/T9JU=

B8l/lfoUXwS6/fvczt/T9JU=

bYcGzDhAixEnGR7zcO2JF79VaVLC

JwcApzyrhEtKIQ==

PS4USZ9kULjr4KpwpNEn8w==

jdV+IANzTFXuYOPgz/fi5ow=

Vv2tgOmx4lZlPybYj9hj

t+qr3Eq1TfBDC/nq1Q==

jKk21gjq81fDf3ll

o8tyfKj+n4Yu+y8hl+crD+W3WU/K

kO+vd4HbxIyEOg==

o3E0Q6S7+V9pV1E+rZ3LU//SfkWCOFS+Xw==

Targets

- Target
  
  SWIFT MESAJI.exe
- Size
  
  295KB
- MD5
  
  6e61d20fbe58472cb648dd237d93292b
- SHA1
  
  f380ad86dd042ed393a4be7ff311b9b2800bc60d
- SHA256
  
  6067ef8eb25ca8f5d986b296550ed75294fd0f20fc795d23883f5884224632e4
- SHA512
  
  99ceca2853e70c55b74309d31309075cf0ab9c05d4786dfb5827d7fcb2b35d45b3274fe28292b5c24712ef07ae9f0eea9d718ff16074d262fe6c81ce2ef69777
- SSDEEP
  
  6144:lEa0Vp7O0FZ9d46iZ+D0iONVTqzLOvJK4rdOg:SzZ9dliZoNLOvJK4Ag
Score

10^/10

formbook nf35 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbooknf35ratspywarestealertrojan

behavioral2

formbooknf35ratspywarestealertrojan