formbook | 67bdb5802b7b2a279b9bc414db04e65955052318b15ff51eda8855efd5b235b9 | Triage

Sharing

General

Target

Quotation 911799 - EM092722.exe
Size

270KB
Sample

221205-khk2vscc77
MD5

8177c774bdaa0838a2b55127f2e51b8f
SHA1

2f4c92d7ae69adab3a1077fb2b6bc4ac7ad6771b
SHA256

67bdb5802b7b2a279b9bc414db04e65955052318b15ff51eda8855efd5b235b9
SHA512

bed58a0b07bda281a075b41b2586d30ea7713caff7d2d490ee996cdea69f73c80103fed916918c92ca3b3075fca8b2ae29cb4721456b089182215edaed3c83c6
SSDEEP

6144:QBn1mCi0MW9wxxWX08Dex0YKq3rTQ+PlaRl3E6yW2Uo:gcsXFDJYKq3/jPEXq7

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Targets

- Target
  
  Quotation 911799 - EM092722.exe
- Size
  
  270KB
- MD5
  
  8177c774bdaa0838a2b55127f2e51b8f
- SHA1
  
  2f4c92d7ae69adab3a1077fb2b6bc4ac7ad6771b
- SHA256
  
  67bdb5802b7b2a279b9bc414db04e65955052318b15ff51eda8855efd5b235b9
- SHA512
  
  bed58a0b07bda281a075b41b2586d30ea7713caff7d2d490ee996cdea69f73c80103fed916918c92ca3b3075fca8b2ae29cb4721456b089182215edaed3c83c6
- SSDEEP
  
  6144:QBn1mCi0MW9wxxWX08Dex0YKq3rTQ+PlaRl3E6yW2Uo:gcsXFDJYKq3/jPEXq7
Score

10^/10

persistence formbook yurm rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

formbookyurmpersistenceratspywarestealertrojan