formbook | d6e05b13f3d042dd2feeba7cef984d8866ad4867b7c95643f103785ffedd69bb | Triage

Sharing

General

Target

9fef2569a2570b70806120838c82b6012d36790205c82254b848ec862005ec3a.zip
Size

229KB
Sample

221130-jvdmwabe34
MD5

6e6698f2cc767830dabdcf79ad70f74b
SHA1

329e21cbbb385b8ded5e450c97208f721d7d6c3f
SHA256

d6e05b13f3d042dd2feeba7cef984d8866ad4867b7c95643f103785ffedd69bb
SHA512

b072136c61f9d32decb081bd404a2289e36bbc482955647c5f044823b4643c6840d952bc39bf2071e9d06ab4528732e632a86e0307f9009b4a2b4e7d5ec2c45d
SSDEEP

6144:5RGZyoNqm8MLfEkuQoCPaaLX1TQCVX2dDOlWJKIFpF:3GAA98AfDoGaaLRQCMdDOty

Score

10^/10

formbook k6n9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

k6n9

Decoy

NzUYPBPnE+UWNJX0b/5zZQ==

ZcsDmdfNeiREr4loZ9k=

p4Pecr+pmTFp+Az4AGoSpvqp

4jwUP0ApYThdpDmZcNp+xuej

0tmQjRQKSQbR0N86

MgfR+qwWljDdagbsn8Ukr8bc8A==

shQ3YCpOQPp/9g==

Q4mmwEidJLBJug25c6Vxcg==

OM1kEJDdGNpv7nMy

7FmP1iykTQZ7q0Hq5g==

9lVGWV44H63+A5oGc6Vxcg==

Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE

xJMBmQj3MRDV7MBXzEep

mJpebAH7RkkGGbsZwZ/weg==

u6FXU+JCphyVyCsUBP0Spvqp

B/mwulPBDRm5q0Hq5g==

E+JiHcUb7gR+8A==

BgGOL5SLfQ9BzuPDxzeVKEIuOKDL

wZdfmzTbOcnEF3Mi1QnVpPCo

J63Z+Jv5L+JOhd+zc6Vxcg==

Targets

- Target
  
  9fef2569a2570b70806120838c82b6012d36790205c82254b848ec862005ec3a.exe
- Size
  
  254KB
- MD5
  
  2832483a7a311902ae9fa5d7b6cf6eda
- SHA1
  
  cebd82649420adacb8a382665f175d479c8655af
- SHA256
  
  9fef2569a2570b70806120838c82b6012d36790205c82254b848ec862005ec3a
- SHA512
  
  652a448d43b5e7eda69018eedb17297f963eb771606096413fb1b7ee4f7b4da35c80e1aebcacf1954456267e23a1507b08a3a35bb318c4573b492c3a867d7f50
- SSDEEP
  
  6144:LBnbpM4DXtWFfsHj8DANpiTGgfKxtQD+R075MLx0r:FpTDXmsHlNpYGgwt3R0leU
Score

10^/10

formbook k6n9 rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

formbookk6n9ratspywarestealertrojan