formbook | 0e8f31c511f0c4d2ab952cf42f4b6e2d21ed4612c054873a098e1075c8c76909 | Triage

Submit
Reports

Overview

overview

Static

static

KP_22-15-1...22.xls

windows7-x64

KP_22-15-1...22.xls

windows10-2004-x64

1

Sharing

General

Target

KP_22-15-1201-8_ALM Tech_05.12.2022.xls
Size

1.5MB
Sample

221206-hr3xxsgf6x
MD5

278bd1188d5eb79992f50301e9c04011
SHA1

7f067b15020d3bd92b2c81ec9544a331e31bca8d
SHA256

0e8f31c511f0c4d2ab952cf42f4b6e2d21ed4612c054873a098e1075c8c76909
SHA512

1188302b674db1f0c65e73db7abe69b20c5e0c4f0f685c650e978ab0a6390b2ad025f308b4891f6c8b2779d46c259bbdba73a1051c137f4ad375dc8d25290cf8
SSDEEP

24576:MzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXD/mlsr5XXXXXXXXXXXXUXXXXXXXrXXXu:ZMzzXtHY

Score

10^/10

formbook henz rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

KP_22-15-1201-8_ALM Tech_05.12.2022.xls

Resource

win7-20220901-en

formbook henz rat spyware stealer trojan

windows7-x64

23 signatures

150 seconds

Behavioral task

behavioral2

Sample

KP_22-15-1201-8_ALM Tech_05.12.2022.xls

Resource

win10v2004-20220812-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

klE+E/jVelhT72wOHRl+

ZGvqyzaT9qfME7bL

czgajHaygm4=

KufYeyTiLhIGlzU6/38IM7IrqzhFa64=

oVNF+2VXWBL9jwGsK3Bw5TE=

iI3g6JaEalRvMDaz8AD4+vt0

nWtRAaSccRlLVg==

NtvDoS2UMcMRSA==

1t5MW/lEfjsUrFJeGXBw5TE=

UFixmi+P2cgqPRj09Sc=

MSuTonT5QhU11IGFYWKB6eJj

k4Lw3r+hTj9NF8+zgnu+Nsa3/rI=

NSN7fCqHln/S+RuZJzk=

dTUV1GY97NlVLsaSJXBw5TE=

8u5OLgNPRShyRRuZJzk=

BLTZ0G3iV0B5PvedL3Bw5TE=

ci8Y27nGCM69

JxF8W9/QoC2xdwQ=

KusZC8MsPClL1oMo8SA=

tW9XIP/VYTmVpWIDjIu1p5/ebhC9

pmc//mhFFgx3l1IOHRl+

MOsl9G5hQT6lhc0oLHWtrQ==

fXvSx46RRSiGjWphOnO0p8a3/rI=

D8Hx4JoDG+znbnIRkQ==

Dsfu2pqFJP0Kv0gX1CGX3Sw=

FcGnEr4fhW7ME7bL

hkc37Y3GF8gTMAw=

dnGZWjqPqYqgTxuZJzk=

iDEV43sIvE1j7psMiQ==

vb8qEoNQBus+mQXst1h2

46qCRt3j3cfneiudJjE=

8eoYvzW2PgDrffLWrav++Mf1TUUHxKY=

vqkFDa0HYztZ+G8ODZ7Qug==

+K/F0qEnTxACrzMR2OocXxecmq31afw7pQ==

Egwn/u1rq2uVbnIRkQ==

nFVH/3fvalaRbnIRkQ==

CvtveEUyyqUJLOiOKnBw5TE=

dmfN5LErTj9l/Icl8FGopw==

VAQtEMawYiNPaTxLIxdbpD9sZL0=

MBSMhSCOHdpCVQ==

jz95eCeaJc4vSw==

85N/Gcy+XicYq0cOHRl+

D/1B46soVTKObnIRkQ==

Hgytgwn25KqyVRuZJzk=

brennancorps.info

Targets

- Target
  
  KP_22-15-1201-8_ALM Tech_05.12.2022.xls
- Size
  
  1.5MB
- MD5
  
  278bd1188d5eb79992f50301e9c04011
- SHA1
  
  7f067b15020d3bd92b2c81ec9544a331e31bca8d
- SHA256
  
  0e8f31c511f0c4d2ab952cf42f4b6e2d21ed4612c054873a098e1075c8c76909
- SHA512
  
  1188302b674db1f0c65e73db7abe69b20c5e0c4f0f685c650e978ab0a6390b2ad025f308b4891f6c8b2779d46c259bbdba73a1051c137f4ad375dc8d25290cf8
- SSDEEP
  
  24576:MzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXD/mlsr5XXXXXXXXXXXXUXXXXXXXrXXXu:ZMzzXtHY
Score

10^/10

formbook henz rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookhenzratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy