formbook

General

Target

Scan AR441 SHEETS.exe
Size

483KB
Sample

221123-p476qsda48
MD5

ae6e5c25ef61b57b0474c12fb74b9880
SHA1

feb3c0ced829b8ab62d94267f4ec0578ede5e58a
SHA256

31d9c25d965fa6de72c0c376159c19da21bc5dcd579bc038b2134d19b1ca9ab2
SHA512

0fc452ea778b13aa467a4e44e6d98896d319c32e147067fbf48ee86842b672b10cf8e571f9292fef429aea009c899851313c625b333b93edb2607c75853a2bcb
SSDEEP

12288:Wtm2gHDUkrFwT3OSwmucvWwfmRbBT3lhQvaMmgG9l:6gIIFwT3OcucUNwas

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

pfgc

Decoy

hBGNx7LOg1/1V9He6Lr1odiL8A==

JUtMWPUI+jYE3h2D0VXJrkViyWlklw==

9Onb+iNxE//TbnVsww==

+zlULMoiC8l+8Tev2wK6Xpt3qkQ2

vv/ckxYzTsV3W3KwMKjDf1rK+A==

fiNtn8AUmEDcSGooP0OzpNX0

Vo+DIT5uE/PEbnVsww==

JzMzXJDojoBk5EcxFTKznOD+

hxRyvNTzW6eTCQ==

/CcTv23E93dcQXf9RUb+

n6ODTfEg31QE9F0=

V9k3j8Pew4FJqasspfOBQNk=

mq+vfSOVMzCmhwN1wUeUUME41Pw=

1frRhiXBVRSqDTLo46vXXNc=

WP9xcxRKdPLGtCeZ8VMcCsA=

dIBJ53JHoTO5

tlakzPSKiYl02hJYqJQdC8I=

EiPtnEnwhz/bMaJp+a0cj8g=

s7mOSbbN8GbPM3von61MR8E41Pw=

HFhN1/bX7Umz

Targets

- Target
  
  Scan AR441 SHEETS.exe
- Size
  
  483KB
- MD5
  
  ae6e5c25ef61b57b0474c12fb74b9880
- SHA1
  
  feb3c0ced829b8ab62d94267f4ec0578ede5e58a
- SHA256
  
  31d9c25d965fa6de72c0c376159c19da21bc5dcd579bc038b2134d19b1ca9ab2
- SHA512
  
  0fc452ea778b13aa467a4e44e6d98896d319c32e147067fbf48ee86842b672b10cf8e571f9292fef429aea009c899851313c625b333b93edb2607c75853a2bcb
- SSDEEP
  
  12288:Wtm2gHDUkrFwT3OSwmucvWwfmRbBT3lhQvaMmgG9l:6gIIFwT3OcucUNwas
Score

10^/10

formbook pfgc rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks QEMU agent file

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2