formbook | 61667ea581c9bfc633099ba839280ee1086d68e7e9f98fb3e9d8b09a0a1ae404 | Triage

Sharing

General

Target

Bill Of Lading - VNSEA4331295.exe
Size

919KB
Sample

221201-rf53ksac9t
MD5

fa2b3a90b953f1919563c4494d8ada0b
SHA1

2c515413532fada3621210c7e2101146e6f5a5fa
SHA256

61667ea581c9bfc633099ba839280ee1086d68e7e9f98fb3e9d8b09a0a1ae404
SHA512

7b33069526852e1bc5595efa16a801894ec521d6a2a9410dad5a689827e28610ad1e80184826b4933b8581607f35e2c8177241870ca23183aeb53018b51b8b68
SSDEEP

12288:MGFDutOg6duUKLo2BPLDRNZSeqJrtVq6dG7xH1/dcR49w9WSGEtDdLrz5BEPHBSq:MpLDHEeIDq6g7xVimwPLAf9OBGN48

Score

10^/10

formbook ntzb rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ntzb

Decoy

ec/NM1mI984Gb/9r

LIh84/7lSr8jyCJjNRy3cy5K/w==

ywyL4wf5IYKQvdNGr5hpUcZk

ibXIRT7wwpAGb/9r

jvlCCTIkf3aEc0yrhiKei9M=

JpvChtpFpghexluRIQ==

ufPzZvM9cUyAySmfh3VZ

IWlUsdnOG2qvOYvJMp9v2/IU7Q==

AShx1yFdwhMDEvts6yKei9M=

G0s8BkB7oPAhNESxLJisov0O4g==

5whNpsfrfGq6bT5VM5c=

7YrOda8xKRZpbX55Rp0=

lff5IDBTuCxnxluRIQ==

s/nqUHamCtIGb/9r

IqvUNFmH8soGb/9r

l8GtEDwvaHre8/VBHFv+wQ==

cb4m5SZjvr4EuU20ORuv4zoQMrY=

msP5quMgh5TOcT5VM5c=

yvEWmNz1G6jvgN1EHFv+wQ==

ZfcqLcYYqRdu9EWF7mUynGEx7sib

Targets

- Target
  
  Bill Of Lading - VNSEA4331295.exe
- Size
  
  919KB
- MD5
  
  fa2b3a90b953f1919563c4494d8ada0b
- SHA1
  
  2c515413532fada3621210c7e2101146e6f5a5fa
- SHA256
  
  61667ea581c9bfc633099ba839280ee1086d68e7e9f98fb3e9d8b09a0a1ae404
- SHA512
  
  7b33069526852e1bc5595efa16a801894ec521d6a2a9410dad5a689827e28610ad1e80184826b4933b8581607f35e2c8177241870ca23183aeb53018b51b8b68
- SSDEEP
  
  12288:MGFDutOg6duUKLo2BPLDRNZSeqJrtVq6dG7xH1/dcR49w9WSGEtDdLrz5BEPHBSq:MpLDHEeIDq6g7xVimwPLAf9OBGN48
Score

10^/10

formbook ntzb rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookntzbratspywarestealertrojan

behavioral2

formbookntzbratspywarestealertrojan