formbook | 31d9c25d965fa6de72c0c376159c19da21bc5dcd579bc038b2134d19b1ca9ab2 | Triage

Sharing

General

Target

Scan AR441 SHEETS.exe
Size

483KB
Sample

221123-p476qsda48
MD5

ae6e5c25ef61b57b0474c12fb74b9880
SHA1

feb3c0ced829b8ab62d94267f4ec0578ede5e58a
SHA256

31d9c25d965fa6de72c0c376159c19da21bc5dcd579bc038b2134d19b1ca9ab2
SHA512

0fc452ea778b13aa467a4e44e6d98896d319c32e147067fbf48ee86842b672b10cf8e571f9292fef429aea009c899851313c625b333b93edb2607c75853a2bcb
SSDEEP

12288:Wtm2gHDUkrFwT3OSwmucvWwfmRbBT3lhQvaMmgG9l:6gIIFwT3OcucUNwas

Score

10^/10

formbook pfgc rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

pfgc

Decoy

hBGNx7LOg1/1V9He6Lr1odiL8A==

JUtMWPUI+jYE3h2D0VXJrkViyWlklw==

9Onb+iNxE//TbnVsww==

+zlULMoiC8l+8Tev2wK6Xpt3qkQ2

vv/ckxYzTsV3W3KwMKjDf1rK+A==

fiNtn8AUmEDcSGooP0OzpNX0

Vo+DIT5uE/PEbnVsww==

JzMzXJDojoBk5EcxFTKznOD+

hxRyvNTzW6eTCQ==

/CcTv23E93dcQXf9RUb+

n6ODTfEg31QE9F0=

V9k3j8Pew4FJqasspfOBQNk=

mq+vfSOVMzCmhwN1wUeUUME41Pw=

1frRhiXBVRSqDTLo46vXXNc=

WP9xcxRKdPLGtCeZ8VMcCsA=

dIBJ53JHoTO5

tlakzPSKiYl02hJYqJQdC8I=

EiPtnEnwhz/bMaJp+a0cj8g=

s7mOSbbN8GbPM3von61MR8E41Pw=

HFhN1/bX7Umz

Targets

- Target
  
  Scan AR441 SHEETS.exe
- Size
  
  483KB
- MD5
  
  ae6e5c25ef61b57b0474c12fb74b9880
- SHA1
  
  feb3c0ced829b8ab62d94267f4ec0578ede5e58a
- SHA256
  
  31d9c25d965fa6de72c0c376159c19da21bc5dcd579bc038b2134d19b1ca9ab2
- SHA512
  
  0fc452ea778b13aa467a4e44e6d98896d319c32e147067fbf48ee86842b672b10cf8e571f9292fef429aea009c899851313c625b333b93edb2607c75853a2bcb
- SSDEEP
  
  12288:Wtm2gHDUkrFwT3OSwmucvWwfmRbBT3lhQvaMmgG9l:6gIIFwT3OcucUNwas
Score

10^/10

formbook pfgc rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

formbookpfgcratspywarestealertrojan

behavioral2