formbook

General

Target

3abebb8dc857936bb52c8279602d5c62.exe.vir
Size

603KB
Sample

221206-f9elyace6t
MD5

a6afef15d5eedcf2a0ff34083fc6c1ca
SHA1

5b06db1442948c2686ddc7a9c57aa05084ab259e
SHA256

b72a5dfe57144f6949b0b8f3b0792c306dc6fadafc71d8919f7dd0fd2d4bb8c4
SHA512

f846f6f0299bc9ac6955fe21eca2106436427f10746406a041856408ad0c90ed7694177b6044ba0117c0d09184c3d62adbea0a26156ba4f4d632a33e6adcb6e9
SSDEEP

12288:g4cYY+jIxUzR+tl70wrhRLjvlnL7xC4g2z3tUqPAO1ItKVLWbYUPXebv:g4/mxUEX70wbp7PTbtUwN1dVTbv

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Targets

- Target
  
  3abebb8dc857936bb52c8279602d5c62.exe.vir
- Size
  
  603KB
- MD5
  
  a6afef15d5eedcf2a0ff34083fc6c1ca
- SHA1
  
  5b06db1442948c2686ddc7a9c57aa05084ab259e
- SHA256
  
  b72a5dfe57144f6949b0b8f3b0792c306dc6fadafc71d8919f7dd0fd2d4bb8c4
- SHA512
  
  f846f6f0299bc9ac6955fe21eca2106436427f10746406a041856408ad0c90ed7694177b6044ba0117c0d09184c3d62adbea0a26156ba4f4d632a33e6adcb6e9
- SSDEEP
  
  12288:g4cYY+jIxUzR+tl70wrhRLjvlnL7xC4g2z3tUqPAO1ItKVLWbYUPXebv:g4/mxUEX70wbp7PTbtUwN1dVTbv
Score

10^/10

persistence formbook yurm rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2