General

  • Target

    formbook1.zip

  • Size

    335KB

  • Sample

    221124-xzd14agf7w

  • MD5

    d23a094e4d1b7ca88e4377c2a7e32b14

  • SHA1

    842c08c7fa2d3d1adb9c878f37eb6ca57b5bd872

  • SHA256

    b28433b134dfc7369d03c867c8bfdc1f133f922490d92ec2d60d3a6140a0a82b

  • SHA512

    b3336134c2d9565ff4de574a8e0ece86edc915b8191b53d42ff6b2ca87ea8cf612a1a9ff3b89ae3d4b2d2390d6640e57d2dd5067632938aa6d22e9ef76ae32ef

  • SSDEEP

    6144:Ie8pjY/fIJCQTaYFR1cD8YGMOs5EF75nMWa4zb3Dp/TkLrlkD3kDSJr0p2MVc:3EY/fT4g4rl7BDpAL5kD8SSi

Malware Config

Extracted

Family

formbook

Campaign

nrln

Decoy

IG7zJSm49UqTTuu/N/oTCIg=

CVLdAPgw0CRSMuZnRRU=

PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG

5i6p4GeQqtBgNRfGNQ==

5984keYswxh8mGZHz4ipAHtQ

VNJaK4Gh0CrOvHpW/p353A==

71rEtrL2icToyKGhcWrTxjsFU5T98zeO

r3q1sy1iZaL+2XIUAob7yw==

9+83Qkrk/vV/jVXsDvoTCIg=

aMFAgYF1prov8/UErH/Y1A==

Alqtx/0rxwEbCLdudftl

ImCbnglBSUHF0mv2tTSP40bPeYao

s4DFNvAJ4GIJ+g==

phOa6mtS8QQICuZnRRU=

7TSu5vqRtB45EZtf4WDSTBHPeYao

ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=

HF7jKjbGox2SAffTPw==

yAM3mOQot5l+cD0ikR5MGp8=

UYzW0/8z70JcQenVLidu1kLPeYao

OoCznp5UWz+hT9OBFXbfVhXPeYao

Targets

    • Target

      formbook1.exe

    • Size

      433KB

    • MD5

      9672b2beca3027b6f008dfc291d21777

    • SHA1

      9dfa2b2cc3d1f04fd715068e9eee238d6b1ca5a7

    • SHA256

      ba10a45e13a79398a5802c91636684e54e53f26409feed99e7c89bbbe0c720d3

    • SHA512

      6396c39d4b9da16e541bb29659737d9841c5841c808c58a7d88accb35715d673820d63679ea0e0ff7642cd952158e11029b5fd689b0588cff8987816df3ccb2e

    • SSDEEP

      6144:6bE/HUrUAGxkcrTRkHqqZMWq1cD8YGMOsPEF75noWa4zbzDp/TkLNlkDfkDSDr0x:6bkxJkKqx4rB75HpALLkD0SMx

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks