formbook | 5f8e9ae71eba679754663351ebaf0668bee3ef9ac7c95ad0261fe97bc3424753 | Triage

Sharing

General

Target

tmp
Size

782KB
Sample

221203-whqg5acc67
MD5

c7b62f9ed3ec7b9208acc7fafda076db
SHA1

4e8e86971dcc2e418b109bacfd6170c947e4eb58
SHA256

5f8e9ae71eba679754663351ebaf0668bee3ef9ac7c95ad0261fe97bc3424753
SHA512

d6110de8c343785f0804b9a3223735d60de387b159283fdc55a3e515e335a7502776784ee229829d21d153919ac6b2fb8abf48e67d02123a5cf6a01aeda4fd68
SSDEEP

24576:vfpSX/iG4AdBfw+Px1y2l8N3ykaNh1sT/M:3EXKOdBBPx1y2lgDCo/M

Score

10^/10

formbook dqup rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dqup

Decoy

RBFKWV5uGrUdf6hN

jGcsTVbthgGRPm1nWzyE

omvIH2jxGd0Sn12CYeAAIvEODy/o

LLuzSX53kGpef9bObGSZ

P7qPqZmVr42VH9LObGSZ

EeWGEWEDxEDd5U1TxRw=

c5/8gdte657s7yo=

kQyJz9WGgKAWCTU=

94EXa2L/gCuXTwVF

QwngPG0f95paVrPd/TEdsg==

AZ0qhZ0icV3HJCS8tw==

tYe83vwj5a8uN3OSZEC+iZW/

aCkNaXAMOwxp+/X+MA9RYTs=

RDOfhwk2ysWuvw==

L79DjZhLdk7AqW/ObGSZ

eAP0idjnAen1II6+8TATqw==

d+/2mB+UWxTV2F4IsdJS5DE=

ZR9aco6xbRNvaehuqA==

zJVFYGnffyUV75T6phA=

yV3K3+jViRAtzJDNQThu0lZp+2FeyA==

Targets

- Target
  
  tmp
- Size
  
  782KB
- MD5
  
  c7b62f9ed3ec7b9208acc7fafda076db
- SHA1
  
  4e8e86971dcc2e418b109bacfd6170c947e4eb58
- SHA256
  
  5f8e9ae71eba679754663351ebaf0668bee3ef9ac7c95ad0261fe97bc3424753
- SHA512
  
  d6110de8c343785f0804b9a3223735d60de387b159283fdc55a3e515e335a7502776784ee229829d21d153919ac6b2fb8abf48e67d02123a5cf6a01aeda4fd68
- SSDEEP
  
  24576:vfpSX/iG4AdBfw+Px1y2l8N3ykaNh1sT/M:3EXKOdBBPx1y2lgDCo/M
Score

10^/10

formbook dqup rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

formbookdqupratspywarestealertrojan