formbook

General

Target

payment_copy4_receipt.exe
Size

535KB
Sample

221128-17ybgshc42
MD5

9c00e5d71c6c53c475e416ce9a99c09f
SHA1

2b38c81029cd53a3bb8d6c250f67d77b4f7b565d
SHA256

f1c30b378d3eef6e701672f8af445260991df54f18a922ef13759c83e64386da
SHA512

9b4970b6669fb196ed9ca6f906c94e0e7d417dbb87e96a513cd75d01514035ce479aa94f0c7fcd50cd66a6a2b00555723af4432192c117a5836f6c456d5ab2c4
SSDEEP

6144:lBnlWGbq9Dey0ua8QMaDeQ0mjqKzu6ueVivo3+QivOqN:w9aeErDaylRuuIJvD

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

veh0

Decoy

eulOjQZkipo8

QwbusPrEgpY4

wa2T8+F5rPaBwA==

pHqtrZbvmnkn

FofuGpY05AV1GXzK

QzOsho4z81BsDSpsVf4=

M7qvjwRJ9Uh9sjUPKjJhQHSPC95K0Mb3vQ==

RpDcjMjmrPaBwA==

DnavFlx/AnqVWGkqQw5YGE2yhnrr

fXToBli75WjZUWTwfg==

C+zIIgw1oRGbvqpcfiRFw+MQNA==

a7STeCtyL/CDTAp26zFXE7DXKQ==

DIbpI4a5R7OdZsE=

DoDgGKtSGd1qeqA59V1sAPqn0uBEjCo=

ZfDZ6qHkgbzS75ebtUeUKBg=

miCSMfAn3B8xP8LXw94C

L/zGMQOscy3C0Ox24IGsxQ==

rPlWqyNf+Q/FflzeWXbHY5qx

aDRsdSnOrAu32Q==

tTKuCn+pT5y4wzVmA07fcoyo

Targets

- Target
  
  payment_copy4_receipt.exe
- Size
  
  535KB
- MD5
  
  9c00e5d71c6c53c475e416ce9a99c09f
- SHA1
  
  2b38c81029cd53a3bb8d6c250f67d77b4f7b565d
- SHA256
  
  f1c30b378d3eef6e701672f8af445260991df54f18a922ef13759c83e64386da
- SHA512
  
  9b4970b6669fb196ed9ca6f906c94e0e7d417dbb87e96a513cd75d01514035ce479aa94f0c7fcd50cd66a6a2b00555723af4432192c117a5836f6c456d5ab2c4
- SSDEEP
  
  6144:lBnlWGbq9Dey0ua8QMaDeQ0mjqKzu6ueVivo3+QivOqN:w9aeErDaylRuuIJvD
Score

10^/10

formbook veh0 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2