formbook

General

Target

Invoice.exe
Size

602KB
Sample

221206-qtexwacc23
MD5

75bab4e3e275410ee46f56c96d2ca719
SHA1

ff9f741609c0009d066c33d8fd8d668c66f6c829
SHA256

1cb82faf9f59ad0c5a831297d038b885c4bf15c933a9730abbcbfab86e6eb1cc
SHA512

deb1b0dce46a9bd2b2ee90f61fbe9f41db562b35782c1b83c6ac41ff0c384ea27b828e5ef03e644b9fbd40a1dd0e24a1fa57c4eb625a24752c18b9ac2563ce57
SSDEEP

12288:gOVGmi1JQ52I8sDQJRZ+z+8xmduDYHkUVszxOAzZ21vMiNSpS:gcJAJtESRY+8xiHxefoNSo

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Targets

- Target
  
  Invoice.exe
- Size
  
  602KB
- MD5
  
  75bab4e3e275410ee46f56c96d2ca719
- SHA1
  
  ff9f741609c0009d066c33d8fd8d668c66f6c829
- SHA256
  
  1cb82faf9f59ad0c5a831297d038b885c4bf15c933a9730abbcbfab86e6eb1cc
- SHA512
  
  deb1b0dce46a9bd2b2ee90f61fbe9f41db562b35782c1b83c6ac41ff0c384ea27b828e5ef03e644b9fbd40a1dd0e24a1fa57c4eb625a24752c18b9ac2563ce57
- SSDEEP
  
  12288:gOVGmi1JQ52I8sDQJRZ+z+8xmduDYHkUVszxOAzZ21vMiNSpS:gcJAJtESRY+8xiHxefoNSo
Score

10^/10

persistence formbook scse rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2