formbook | b2494aaabd68a29cbb11be4d3164f04657b24e5887345625704741da9515307a | Triage

Submit
Reports

Overview

overview

Static

static

D22122SG_0...de.xls

windows7-x64

D22122SG_0...de.xls

windows10-2004-x64

1

Sharing

General

Target

D22122SG_001 Fresa General Trade.xls
Size

1.5MB
Sample

221207-nxbzaagf5t
MD5

7897d067062d4d5d0824890c39a6ccda
SHA1

daa82905ae468f5087bbbf51b8b1425367d8b278
SHA256

b2494aaabd68a29cbb11be4d3164f04657b24e5887345625704741da9515307a
SHA512

479f9c20e63e5883735d234f4f5c7d8b6c4f9d06a535887c3bcfc17aabdc67b18793deeece62965c1e81ef251855162792d2c62ccb9da8c9b737cb3a1bc2b8e6
SSDEEP

24576:pzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDQmwor5XXXXXXXXXXXXUXXXXXXXrXXXL:qwzD5SGvu

Score

10^/10

formbook henz rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

D22122SG_001 Fresa General Trade.xls

Resource

win7-20220812-en

formbook henz rat spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

D22122SG_001 Fresa General Trade.xls

Resource

win10v2004-20221111-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

klE+E/jVelhT72wOHRl+

ZGvqyzaT9qfME7bL

czgajHaygm4=

KufYeyTiLhIGlzU6/38IM7IrqzhFa64=

oVNF+2VXWBL9jwGsK3Bw5TE=

iI3g6JaEalRvMDaz8AD4+vt0

nWtRAaSccRlLVg==

NtvDoS2UMcMRSA==

1t5MW/lEfjsUrFJeGXBw5TE=

UFixmi+P2cgqPRj09Sc=

MSuTonT5QhU11IGFYWKB6eJj

k4Lw3r+hTj9NF8+zgnu+Nsa3/rI=

NSN7fCqHln/S+RuZJzk=

dTUV1GY97NlVLsaSJXBw5TE=

8u5OLgNPRShyRRuZJzk=

BLTZ0G3iV0B5PvedL3Bw5TE=

ci8Y27nGCM69

JxF8W9/QoC2xdwQ=

KusZC8MsPClL1oMo8SA=

tW9XIP/VYTmVpWIDjIu1p5/ebhC9

pmc//mhFFgx3l1IOHRl+

MOsl9G5hQT6lhc0oLHWtrQ==

fXvSx46RRSiGjWphOnO0p8a3/rI=

D8Hx4JoDG+znbnIRkQ==

Dsfu2pqFJP0Kv0gX1CGX3Sw=

FcGnEr4fhW7ME7bL

hkc37Y3GF8gTMAw=

dnGZWjqPqYqgTxuZJzk=

iDEV43sIvE1j7psMiQ==

vb8qEoNQBus+mQXst1h2

46qCRt3j3cfneiudJjE=

8eoYvzW2PgDrffLWrav++Mf1TUUHxKY=

vqkFDa0HYztZ+G8ODZ7Qug==

+K/F0qEnTxACrzMR2OocXxecmq31afw7pQ==

Egwn/u1rq2uVbnIRkQ==

nFVH/3fvalaRbnIRkQ==

CvtveEUyyqUJLOiOKnBw5TE=

dmfN5LErTj9l/Icl8FGopw==

VAQtEMawYiNPaTxLIxdbpD9sZL0=

MBSMhSCOHdpCVQ==

jz95eCeaJc4vSw==

85N/Gcy+XicYq0cOHRl+

D/1B46soVTKObnIRkQ==

Hgytgwn25KqyVRuZJzk=

brennancorps.info

Targets

- Target
  
  D22122SG_001 Fresa General Trade.xls
- Size
  
  1.5MB
- MD5
  
  7897d067062d4d5d0824890c39a6ccda
- SHA1
  
  daa82905ae468f5087bbbf51b8b1425367d8b278
- SHA256
  
  b2494aaabd68a29cbb11be4d3164f04657b24e5887345625704741da9515307a
- SHA512
  
  479f9c20e63e5883735d234f4f5c7d8b6c4f9d06a535887c3bcfc17aabdc67b18793deeece62965c1e81ef251855162792d2c62ccb9da8c9b737cb3a1bc2b8e6
- SSDEEP
  
  24576:pzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDQmwor5XXXXXXXXXXXXUXXXXXXXrXXXL:qwzD5SGvu
Score

10^/10

formbook henz rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookhenzratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy