formbook | 7b34fede01164a6602eccc2e71a58535a8e484562fe634c82fcf87256f951bcd | Triage

Sharing

General

Target

7b34fede01164a6602eccc2e71a58535a8e484562fe634c82fcf87256f951bcd.xlsx
Size

688KB
Sample

221127-wbwessah9y
MD5

64af151191f5d60b7ace7a8cb31e7948
SHA1

82c8c29ab11837559b42a7565e6fa14668dc9ece
SHA256

7b34fede01164a6602eccc2e71a58535a8e484562fe634c82fcf87256f951bcd
SHA512

6e34005d4dce744969886be0dae13d653ae3dd9632e539b94bc5891b90b48b450cf4d1105ec8b2f6cf9a3dfbe859bca0cad102fae4b2925d03ec1f3d0927e94e
SSDEEP

6144:6KmZ+RwPONXoRjDhIcp0fDlavx+W26nADOiYsPKcK7jtlSEKWiWJKL4lHWyy5zJ+:6KrpM3STW7jbqzJVzNJ0hDkZpI7Z

Score

10^/10

formbook 8hj6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

8hj6

Decoy

BPkphuLe3gBqfzJH1ZS0lzbRYw==

AMTxHcVHvLNwyogVF8SBkayHurU=

LOpN3n9Pjs2UI+oi1TMRyKqm1zr7Wg==

JDMgT/Us5w/NixQ=

MPSFlLYAFB3z

WeAEPsYnuT4RqJgSAw==

Cc9tepEFmnhatTrwHgQbNHQ=

iCGVsr8Lk3gUwXgo

+YX0IkWtcWZX445/IabQ

dFLJMtQdnup8p2CMDw==

TQ/GAhh5CP3nUMd/IabQ

g1OUvdLuvC4imZZbVQXxyGML

FRedytsqrpCA+9wIZeeMmayHurU=

k5OZ54nDlIIUwXgo

GCU1ZPY+TeKX9582

KvKuwGN8c9vk

o2mQnTrCiPq9omMhmTs=

SQ9FZuwk+GJXWA==

r03GDqMLl/PfqJgSAw==

2tPB6oKzhZBJmlhnzZUMHGk=

Targets

- Target
  
  7b34fede01164a6602eccc2e71a58535a8e484562fe634c82fcf87256f951bcd.xlsx
- Size
  
  688KB
- MD5
  
  64af151191f5d60b7ace7a8cb31e7948
- SHA1
  
  82c8c29ab11837559b42a7565e6fa14668dc9ece
- SHA256
  
  7b34fede01164a6602eccc2e71a58535a8e484562fe634c82fcf87256f951bcd
- SHA512
  
  6e34005d4dce744969886be0dae13d653ae3dd9632e539b94bc5891b90b48b450cf4d1105ec8b2f6cf9a3dfbe859bca0cad102fae4b2925d03ec1f3d0927e94e
- SSDEEP
  
  6144:6KmZ+RwPONXoRjDhIcp0fDlavx+W26nADOiYsPKcK7jtlSEKWiWJKL4lHWyy5zJ+:6KrpM3STW7jbqzJVzNJ0hDkZpI7Z
Score

10^/10

formbook 8hj6 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbook8hj6ratspywarestealertrojan

behavioral2