formbook | 3c1db94995f50f8d469f8d44278a9fe97864afca4be64ce6aceabdcbe9d91de8 | Triage

Sharing

General

Target

PO 0094899101.exe
Size

762KB
Sample

221206-hysqjahc21
MD5

4c274f3bc91970597ea119c632c45860
SHA1

43fda1bfe6971a37106d9827433b07dae500fe30
SHA256

3c1db94995f50f8d469f8d44278a9fe97864afca4be64ce6aceabdcbe9d91de8
SHA512

bf9eec01cc9fe9e5b4ce24f10cfdf059bcc2d0a11ea8d3ea82aa8dbde5d1c4aa715a171dcec6786461d1f4dc6af9f396ad6dd6add188a111a5f972dd4dd8815e
SSDEEP

12288:YbIg+dWn45FiQxDCDTkEwYlaPU5vot96i0KeDC2/2ak6NqpIESRaJ2:YbZQtaQKlsU6tYiEC2FkMUSRaJ2

Score

10^/10

formbook elhb rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

elhb

Decoy

BxGzoacPQ3mFBGhbtixjHOm2l30=

dTRqRkWfuBbGMmsPJA==

Pix+zpOG6+Gk

N+3dNZ0ZjOtrRnnj

xUv06VOm45P441HWCmmfSum2l30=

Sx5JuwMfaRrJdK3r

cgU6nPNKa14KC4K40cp4wbkm/KpzfwM=

rV8A2UGJrlbYxa48P40=

Gz3szbYLIYI6l+4=

QU3ru637P+U4itwRQ3n7n2c=

DdkGzbEPU4Fy4h2bZLVXNzz0

QPUo8R5qn9KUnhRRtmVY8/Zp5Xw=

q+EX7juJsVR79msRSnsUxg==

/34eEpvsLS8lw7uom5U=

HEVrEXHlHMlNNp9IlsY+0Q==

KZ/SIWnI7eeog+pwY9uAw+PmmhfjXQ==

Kdn7YMcoXYWjHId+0jhkHem2l30=

R7lnYeAfO1MUHIWyz9c/aoIvHxSvQA==

P7ZYVqmG6+Gk

hlk7m1hdnb0=

Targets

- Target
  
  PO 0094899101.exe
- Size
  
  762KB
- MD5
  
  4c274f3bc91970597ea119c632c45860
- SHA1
  
  43fda1bfe6971a37106d9827433b07dae500fe30
- SHA256
  
  3c1db94995f50f8d469f8d44278a9fe97864afca4be64ce6aceabdcbe9d91de8
- SHA512
  
  bf9eec01cc9fe9e5b4ce24f10cfdf059bcc2d0a11ea8d3ea82aa8dbde5d1c4aa715a171dcec6786461d1f4dc6af9f396ad6dd6add188a111a5f972dd4dd8815e
- SSDEEP
  
  12288:YbIg+dWn45FiQxDCDTkEwYlaPU5vot96i0KeDC2/2ak6NqpIESRaJ2:YbZQtaQKlsU6tYiEC2FkMUSRaJ2
Score

10^/10

formbook elhb rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbookelhbratspywarestealertrojan