formbook | be8e8f4846b6b166d049c45dba8a91323aac80bc6fb01889de7f99442a577e1a | Triage

Sharing

General

Target

SecuriteInfo.com.FileRepMalware.16929.9956.exe
Size

272KB
Sample

221128-zapseahh4v
MD5

f2455fcb7954e649589e7406fd5acc97
SHA1

2532f710ed4ee7bae1be0f8726b4d599fda03973
SHA256

be8e8f4846b6b166d049c45dba8a91323aac80bc6fb01889de7f99442a577e1a
SHA512

b3ad6211317fa9159adb8a0a9a2486d091bc56bce288a0843005a90e761f4832d34b60ee28b5fd2c5b4bac5ac2962c144051de99f264bc4d2f6311bfb7711e5a
SSDEEP

6144:QBn1e3XWMCcAYtE3R0n0OZL/mS3SnBLOag9YMHLcxzcsc:goGaAYt4OrgO5Zcxzcsc

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Targets

- Target
  
  SecuriteInfo.com.FileRepMalware.16929.9956.exe
- Size
  
  272KB
- MD5
  
  f2455fcb7954e649589e7406fd5acc97
- SHA1
  
  2532f710ed4ee7bae1be0f8726b4d599fda03973
- SHA256
  
  be8e8f4846b6b166d049c45dba8a91323aac80bc6fb01889de7f99442a577e1a
- SHA512
  
  b3ad6211317fa9159adb8a0a9a2486d091bc56bce288a0843005a90e761f4832d34b60ee28b5fd2c5b4bac5ac2962c144051de99f264bc4d2f6311bfb7711e5a
- SSDEEP
  
  6144:QBn1e3XWMCcAYtE3R0n0OZL/mS3SnBLOag9YMHLcxzcsc:goGaAYt4OrgO5Zcxzcsc
Score

10^/10

formbook henz rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookhenzratspywarestealertrojan