formbook | 3912cd99823a4ab2c785ba3eb8de1a5253057c910880649ba54bc1d5ae06581c | Triage

Submit
Reports

Overview

overview

Static

static

New order ...22.xls

windows7-x64

New order ...22.xls

windows10-2004-x64

1

Sharing

General

Target

New order - Cleantech - DEC -P0 120522.xls
Size

1.5MB
Sample

221206-hrh8hsdd84
MD5

3d495c348238d2b882dbd33e7c87b083
SHA1

1333f588040498bd828c81f2a9090badd46ee54d
SHA256

3912cd99823a4ab2c785ba3eb8de1a5253057c910880649ba54bc1d5ae06581c
SHA512

3fc9108dc3030277ab29190878793558d43dd0d9da75b6063677fbc47d5160d0fa5dfa03cf828a3dc6b29373f8b09987aa8531c334fb817389e6e97297c98bdf
SSDEEP

24576:9zxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDSmAUr5XXXXXXXXXXXXUXXXXXXXrXXXN:OKd4lesYb

Score

10^/10

formbook henz rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

New order - Cleantech - DEC -P0 120522.xls

Resource

win7-20220901-en

formbook henz rat spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

New order - Cleantech - DEC -P0 120522.xls

Resource

win10v2004-20221111-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

klE+E/jVelhT72wOHRl+

ZGvqyzaT9qfME7bL

czgajHaygm4=

KufYeyTiLhIGlzU6/38IM7IrqzhFa64=

oVNF+2VXWBL9jwGsK3Bw5TE=

iI3g6JaEalRvMDaz8AD4+vt0

nWtRAaSccRlLVg==

NtvDoS2UMcMRSA==

1t5MW/lEfjsUrFJeGXBw5TE=

UFixmi+P2cgqPRj09Sc=

MSuTonT5QhU11IGFYWKB6eJj

k4Lw3r+hTj9NF8+zgnu+Nsa3/rI=

NSN7fCqHln/S+RuZJzk=

dTUV1GY97NlVLsaSJXBw5TE=

8u5OLgNPRShyRRuZJzk=

BLTZ0G3iV0B5PvedL3Bw5TE=

ci8Y27nGCM69

JxF8W9/QoC2xdwQ=

KusZC8MsPClL1oMo8SA=

tW9XIP/VYTmVpWIDjIu1p5/ebhC9

pmc//mhFFgx3l1IOHRl+

MOsl9G5hQT6lhc0oLHWtrQ==

fXvSx46RRSiGjWphOnO0p8a3/rI=

D8Hx4JoDG+znbnIRkQ==

Dsfu2pqFJP0Kv0gX1CGX3Sw=

FcGnEr4fhW7ME7bL

hkc37Y3GF8gTMAw=

dnGZWjqPqYqgTxuZJzk=

iDEV43sIvE1j7psMiQ==

vb8qEoNQBus+mQXst1h2

46qCRt3j3cfneiudJjE=

8eoYvzW2PgDrffLWrav++Mf1TUUHxKY=

vqkFDa0HYztZ+G8ODZ7Qug==

+K/F0qEnTxACrzMR2OocXxecmq31afw7pQ==

Egwn/u1rq2uVbnIRkQ==

nFVH/3fvalaRbnIRkQ==

CvtveEUyyqUJLOiOKnBw5TE=

dmfN5LErTj9l/Icl8FGopw==

VAQtEMawYiNPaTxLIxdbpD9sZL0=

MBSMhSCOHdpCVQ==

jz95eCeaJc4vSw==

85N/Gcy+XicYq0cOHRl+

D/1B46soVTKObnIRkQ==

Hgytgwn25KqyVRuZJzk=

brennancorps.info

Targets

- Target
  
  New order - Cleantech - DEC -P0 120522.xls
- Size
  
  1.5MB
- MD5
  
  3d495c348238d2b882dbd33e7c87b083
- SHA1
  
  1333f588040498bd828c81f2a9090badd46ee54d
- SHA256
  
  3912cd99823a4ab2c785ba3eb8de1a5253057c910880649ba54bc1d5ae06581c
- SHA512
  
  3fc9108dc3030277ab29190878793558d43dd0d9da75b6063677fbc47d5160d0fa5dfa03cf828a3dc6b29373f8b09987aa8531c334fb817389e6e97297c98bdf
- SSDEEP
  
  24576:9zxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDSmAUr5XXXXXXXXXXXXUXXXXXXXrXXXN:OKd4lesYb
Score

10^/10

formbook henz rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookhenzratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy