formbook | 75487358663f47e70846be7ae195c335bb35cbe469c93503f537e75855082f01 | Triage

Sharing

General

Target

DHL Shipment_pdf.exe
Size

253KB
Sample

221128-jfabxafc46
MD5

6c47810c50e5d51c52010f6497b192cc
SHA1

46c1da4c046006d84a306b824e2f9f65a034e389
SHA256

75487358663f47e70846be7ae195c335bb35cbe469c93503f537e75855082f01
SHA512

ab56561a813a1730a63c3d474178d7a0d57394979eb8d5babd98742a3556f4805b88e13c505dbf5169740cc0a3dbffb994b58284d9343f64d835042299e8bbcf
SSDEEP

6144:xBnQPEBXJ9LLlsp1mjwi2OsedFcBzX1GuW5uC1O:8P4Zc1Ow5eTcBbAn5u3

Score

10^/10

formbook olus rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

olus

Decoy

lFwthdzYgacRjF3H

V0HcUpvjRfyxLCVc/Qu1

fVMwe8B1QkymDetjpI9uzecX

QgKu/wmjhaT79V7jTK/HjhUCywqs3TQ=

21I9i5OSAoodam1rOQ==

QCVAvA3e02NvjlzP

khZ3sq8WGuiMAg==

K+U9rwDkZhi7

Uii7NZQ3FCKY+7Agf4JuzecX

nWYwbrNxWOGgJCNc/Qu1

yxFqsrsU9YyQnUJ4pMtHWw==

H+pDjL3qLrqbfeQYPlmASHc2eg==

OKO55xmvnyzvSF1uS5I=

VT4daWvLpsxvjlzP

SaUHe81zYnTzcTZc/Qu1

Df2M0dtCH1sGvxA5Jw==

NAsWerPSMayThrruHxHdjjUqeA==

+Nxhp7kZ4v7L+nvFkI0=

KhEcfId5vUQQezJiSbvWaZrdJmg=

9aEE7WN4555vjlzP

Targets

- Target
  
  DHL Shipment_pdf.exe
- Size
  
  253KB
- MD5
  
  6c47810c50e5d51c52010f6497b192cc
- SHA1
  
  46c1da4c046006d84a306b824e2f9f65a034e389
- SHA256
  
  75487358663f47e70846be7ae195c335bb35cbe469c93503f537e75855082f01
- SHA512
  
  ab56561a813a1730a63c3d474178d7a0d57394979eb8d5babd98742a3556f4805b88e13c505dbf5169740cc0a3dbffb994b58284d9343f64d835042299e8bbcf
- SSDEEP
  
  6144:xBnQPEBXJ9LLlsp1mjwi2OsedFcBzX1GuW5uC1O:8P4Zc1Ow5eTcBbAn5u3
Score

10^/10

formbook olus rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookolusratspywarestealertrojan