formbook | 4a0f5f393b9b5ec51e24b1feb5ac4239ea144960d25825e1dd5f3af02858cc2c | Triage

Sharing

General

Target

MV DOOYANG TBN PARTICULARS.exe
Size

259KB
Sample

221129-nrfehsef68
MD5

571c086c113946c6bede6590548a96d1
SHA1

f03b3c1cf890d22df72094e3df466d141a0226b5
SHA256

4a0f5f393b9b5ec51e24b1feb5ac4239ea144960d25825e1dd5f3af02858cc2c
SHA512

9917251bfc52dc8ba6788aecee9a149340c30b73565598c22d28a6d1a34d5e7357a4b4812429965b1d3f58ad904dad4902d06762dcbe25adcdce83d900e27f1a
SSDEEP

6144:1BnqxnIIw4bDUEDTIg826uyIM42tgpouzDPDxm:yxnIN43UHzDucgi0PDxm

Score

10^/10

formbook ermr persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ermr

Decoy

ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=

qNSdDhu/PT/1fgafDagiCSZH1SY=

wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=

jSxRvptHkeTGl7PT0SEmaZmjqzanuA==

b91oL+2wCcpyhnd6yvF6Pg==

mr81yp1/qqZX

hy7Xsz/PU/LWHMcGL4UYJx9n3A==

KlwrHt1gouPaXaWhoQ==

ng8M320IRJL9Ptw=

8GQbOXuaWxvKnNM=

XndOL7E5sNpVUNty4d/a

rryPBBC8PybYb+2h2MF3FHGL

kEoeyERSVCYO0g==

5/P+SBDby5hO

1fYXc30/h9W7iO17

34X+YKR+wRFE

8ir/X2MlVByh5lQ1ow8=

u9ikm2UMZ7J7hpCYow==

FLI+c3clp1BNDjVAfvC2Dnw=

t21Erq8/r09wAzAJTAH3Ng==

Targets

- Target
  
  MV DOOYANG TBN PARTICULARS.exe
- Size
  
  259KB
- MD5
  
  571c086c113946c6bede6590548a96d1
- SHA1
  
  f03b3c1cf890d22df72094e3df466d141a0226b5
- SHA256
  
  4a0f5f393b9b5ec51e24b1feb5ac4239ea144960d25825e1dd5f3af02858cc2c
- SHA512
  
  9917251bfc52dc8ba6788aecee9a149340c30b73565598c22d28a6d1a34d5e7357a4b4812429965b1d3f58ad904dad4902d06762dcbe25adcdce83d900e27f1a
- SSDEEP
  
  6144:1BnqxnIIw4bDUEDTIg826uyIM42tgpouzDPDxm:yxnIN43UHzDucgi0PDxm
Score

10^/10

formbook ermr persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

formbookermrpersistenceratspywarestealertrojan