formbook | 755c44b90198282d2494321b4cb18cab7e4426efd1b7f4a20f2a0793d68a2a1f | Triage

Sharing

General

Target

SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
Size

915KB
Sample

221129-p2cbaaaf27
MD5

b5678475c3c15fdafff2c5c8b49d5dc1
SHA1

7407554011988292b3e3522e19edb5532f21ee4e
SHA256

755c44b90198282d2494321b4cb18cab7e4426efd1b7f4a20f2a0793d68a2a1f
SHA512

05eb462d04fa52dc64781064305aaf73c960765e35f51ef3eeb87e81e25d2dbdcfe7e2c51840ccc4d25e61a7ffc4d0786232c115a395f5e94eaba9508088aecc
SSDEEP

12288:B0dqU+0zR1NqFgVkN3kXsujtKtVrA8RssJk0cDe1Wa33JzysxUi59zDdzoa1cfN:KvFqgVAU8LrLq0vBhyLiTDdEPf

Score

10^/10

formbook k0ud evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

k0ud

Decoy

KKDeo2UqDEnUCpVOQojSRXBi

2tZJH0HRrIOVDeTfmg==

MKSmj+CZhRhujjE=

s5bXm6Sadg2zBdu7hw==

8mGZiJJg7IwdLLs+pPMOfKhNGytf

ngJVQAUrwkHr

n91w0jH0iJFIpiaP

lWk89cFyI5pIpiaP

3r4L8XkqBgU3dCR30w4ZcMRga0A=

l53c8qJWOTJroVjOHBlgjJs=

y0It19ubd+FIpiaP

9Xqagljz0BeZp7ryuO4I

gxIH4giok36VxknyuO4I

tAZMOEL32FgOEBvnr8gQcg==

w0p+SzTMwKm8BcW1gw==

kxD3oaFJ6xlOeHqH

jp4I7QirduJ8slPyuO4I

LSxuX8BlRh0yWAWTEhlgjJs=

ZrTTvJ49FI8rZ09psvo=

LLSsX0XevItIpiaP

Targets

- Target
  
  SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
- Size
  
  915KB
- MD5
  
  b5678475c3c15fdafff2c5c8b49d5dc1
- SHA1
  
  7407554011988292b3e3522e19edb5532f21ee4e
- SHA256
  
  755c44b90198282d2494321b4cb18cab7e4426efd1b7f4a20f2a0793d68a2a1f
- SHA512
  
  05eb462d04fa52dc64781064305aaf73c960765e35f51ef3eeb87e81e25d2dbdcfe7e2c51840ccc4d25e61a7ffc4d0786232c115a395f5e94eaba9508088aecc
- SSDEEP
  
  12288:B0dqU+0zR1NqFgVkN3kXsujtKtVrA8RssJk0cDe1Wa33JzysxUi59zDdzoa1cfN:KvFqgVAU8LrLq0vBhyLiTDdEPf
Score

10^/10

formbook k0ud evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookk0udevasionratspywarestealertrojan

behavioral2

formbookk0udevasionratspywarestealertrojan