formbook | 3d1672c7a51602f091b622285fbcce4aeec4522d428a1a2179b2f1033c94b3e3 | Triage

Sharing

General

Target

3D1672C7A51602F091B622285FBCCE4AEEC4522D428A1A2179B2F1033C94B3E3
Size

269KB
Sample

221123-r2v5haab94
MD5

e6cf453714f173ec38a48cdde5a7368c
SHA1

5598dc5a4e09b119ea7d8e2ed02b126f4c869b36
SHA256

3d1672c7a51602f091b622285fbcce4aeec4522d428a1a2179b2f1033c94b3e3
SHA512

80a5e704a857fe8d18d673bbfdf8e94ede9ff3f1d4a4edb4c34bd26d3adeaf922edd192a744e70bbb5a308295fb9138823ca47f2682910699a8750eea15d063c
SSDEEP

6144:XSnatkeXNHhPZt6EMw+XYcFGujqdcK7po/zSLXCW:inatRNpZt7Mw+ocF1GIzYXf

Score

10^/10

formbook xhnq rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

xhnq

Decoy

kkL8Pu8x+4S6wfoCcvftOA==

496LxjKjebwp3Q==

ZNpe1artufAiEvfm

4CIcGQGlfZxOWk0WfU+wmLwHYNU=

nCqrPAt3AVekKygjamfKlLwHYNU=

t3ppAKZhQHeDNIODv4HKmLwHYNU=

ELBzK0V6QboxkHETQPeEni+H

BrZstrXumvReu6Q5bGAp1idBRcBqdzIWBw==

yNispwXS2wJJ

WzKfqGFL2TuyZbWJfP922LwHYNU=

qOfvZB3ikBBe

02Ae6pxfJKIwxGUzLw==

MK5YMCnhqBH9LYpSyZFZ

P5ZeKBadM4fFMvxSyZFZ

2BhbGIIr3/bytfHx

1awWI9/MRYX7aEHQTgLHJQ==

n61fuJeFBWTZohooVyqYhrwHYNU=

DIoQj5nLfMg27S77/sOCFuzOkA==

X5tPEguDocp8lfoHcvftOA==

MK5fKQV570dBgQSTAfs=

Targets

- Target
  
  Product Specification.exe
- Size
  
  281KB
- MD5
  
  49b374a64015666e9ae51070c7df038e
- SHA1
  
  5cc61425c317ff5256811adc6ecd9e224ee7c3d4
- SHA256
  
  2d0bf404b71b81df2a8256b7adb927dfac1ed504c968f0c7e07dd3fea4213bb1
- SHA512
  
  c437cead3a461959791ff0fff852f3e5df34294af52a427fe0c2e81391a97f5fd25e97f0bddae292230775f49b1dd39cb4f1a873c876cb0f13aeb3a15e8f171d
- SSDEEP
  
  6144:MEa0NTHageXNHhxZt6EMw+XYWFGuZqdcKI+cCzSLXRt:XTHa9NPZt7Mw+oWF/GoLCzYXX
Score

10^/10

formbook xhnq rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookxhnqratspywarestealertrojan

behavioral2

formbookxhnqratspywarestealertrojan