formbook | 6d62d493cae6daf08828e14fc36c0dba18e7eb7f75ca390ec5d21ae0b3d2c9a3 | Triage

Sharing

General

Target

0x0007000000013a3b-63.dat
Size

1.0MB
Sample

221201-c5kqlsgb65
MD5

4960f9773333e5239226ca3a86e974e9
SHA1

a5eefef24d0586abd0457acb6cb8246057574d67
SHA256

6d62d493cae6daf08828e14fc36c0dba18e7eb7f75ca390ec5d21ae0b3d2c9a3
SHA512

4292c12fb5ac12e2d70c0849fc0697319faeea35123d435a597753de4cf801b4ef219940080d5484dca16a1a1c2ec771b73d030b37b5b93e79610dafec51ac2c
SSDEEP

12288:SvE7XguFSxqtLAWaDjb9fyxZqZKa5aRW4+QlpYidxDF/3gKavwI0iVWErqsM1pnU:H5KjZwZNxRL9dPPgrYI0Iomd+zrE

Score

10^/10

formbook h9nc rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

h9nc

Decoy

b6D0eLl/P/Ry1A==

KnXQBVoh1YK69G/dNR0pblRJIg==

WnXFkXyACqjtAumHng==

G0eU+2nD4Hul/C12

7TSYGZRY3obqxfiSusm2GLKO7zs=

rKv1H4dXCeB4dIWkDod0

kJHsAWgJMtQx2XbWOE50pGw=

9glV052OFiKdAumHng==

xiWAGAArojjC4Qlwk7dsq4N+0GTOyTQ=

1dUgKYkXDs1c54VvhAC4IL0a4DY=

//E2NG867Y/MH8x206eKnQ==

BQd1aNJsP/Ry1A==

kOMaJH4YPB4903g=

zOhJx2nSgFXV

3OUrp42pL88bb/+B06eKnQ==

bM5EoP21XTZ7psNQgQ==

BWG/kYrHtD9dmyigBbFamA==

BRlnZVmlrU14Zo/6Nmr9dVxHIg==

4fdR0rjKc0t78Ww/Z0DQAMWm9Ts=

Lh9p82obtozdHSNv

Targets

- Target
  
  0x0007000000013a3b-63.dat
- Size
  
  1.0MB
- MD5
  
  4960f9773333e5239226ca3a86e974e9
- SHA1
  
  a5eefef24d0586abd0457acb6cb8246057574d67
- SHA256
  
  6d62d493cae6daf08828e14fc36c0dba18e7eb7f75ca390ec5d21ae0b3d2c9a3
- SHA512
  
  4292c12fb5ac12e2d70c0849fc0697319faeea35123d435a597753de4cf801b4ef219940080d5484dca16a1a1c2ec771b73d030b37b5b93e79610dafec51ac2c
- SSDEEP
  
  12288:SvE7XguFSxqtLAWaDjb9fyxZqZKa5aRW4+QlpYidxDF/3gKavwI0iVWErqsM1pnU:H5KjZwZNxRL9dPPgrYI0Iomd+zrE
Score

10^/10

formbook h9nc rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookh9ncratspywarestealertrojan

behavioral2

formbookh9ncratspywarestealertrojan