Overview

overview

10

Static

static

formbook4.exe

windows7-x64

10

formbook4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    formbook4.zip

  • Size

    662KB

  • Sample

    221129-ln6q7aba4y

  • MD5

    ef9f3e83b8d647bbf40f768846bc8c85

  • SHA1

    0825637ee21c4b341849ebd18c8910f68264762c

  • SHA256

    502751e0b4a8acff074def25e8bf46495cc258100652ae11194aea84b5278fcf

  • SHA512

    ca30a5b1aaa76cb8b69bf13cb4e46ad6643b2e6faed5588060c8767e3a2c2d09469e878227a378682e803e6b10423b1bf4c54c875972dcf86160565c532ef340

  • SSDEEP

    12288:FQHF1e57vZhFxafu3I19z7t8RXIvFuCFhQ/DcFNzJMiD4EMs6:0WPku3Iqs5rQ/DUbCs6

Score
10/10
formbook5pdfratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

5pdf

Decoy

cnoOEQHsI9ejYIEif1HquIlIogYo8Ow=

+pAzTzDtpZpp

djD/KBrcDAYQyOGt+Us+fA==

EJM2X0tTvNKodx36

86lMWj8hSQvtqtamtDE6kbKCy3c=

/ywYVB9fxjhRAg==

0OZ0eaYoArZ0

Kl0MifS5n1TXmIQBZLE=

2eN+GpZbBAJDAg==

E8OdZbo7E5cuJgSu2JNUfg==

wXQeNSUaXiXts3xLPw==

PzLRe+HePPeJJB8PJw==

BPaaT7LANzqtcROc+Us+fA==

/vB5AHAzcWtvN1TtGCkZ2L47OjGmU8RrWQ==

gwSl0rcfM/O7hCE=

NrtIzTsH96xB8a3HBhbfMkCs

bxu1vLuDaipA5w0OVuBc8Mw=

2IRJAE05bSVR4Oj7UeBc8Mw=

kQuq4sSpB/7gs3xLPw==

iqhd2Ea725sBlSE=

Targets

    • Target

      formbook4.exe

    • Size

      1.0MB

    • MD5

      e434c99075bb1cc365706ac25bc1c53a

    • SHA1

      4cbc665703ef6c5eb46608aa5b8fef42c6afe6f5

    • SHA256

      f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365

    • SHA512

      a6de56271d64f1ec3c4049faaeb99b7822f22b0acb6716a5ac52f7726d6278724d3110361cf13b63d441af01c3668dcde727a3ba322af17e00b33b0b0abb4610

    • SSDEEP

      24576:bpxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNuss8gPkS3k:23cj+/ZEFdj

    Score
    10/10
    formbook5pdfratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks