formbook | c8517f6c638a7d458d5dc46ba0c8b62c22165996339338788f9632cba03570c5 | Triage

Sharing

General

Target

71084394.exe
Size

340KB
Sample

221208-kkww5shd74
MD5

071d5dc67ed8f6be856d7f23d77382fc
SHA1

66f71f1f920899aaffe32f996f25df8c031cbd8a
SHA256

c8517f6c638a7d458d5dc46ba0c8b62c22165996339338788f9632cba03570c5
SHA512

973b2c8a59dda6d40e75d45fabc72e9b0679373f604267837854d6ff8f6ecb4f02b855ab3210ca6b49f6315cdac69666d788f01cc60fd5d99fa638a16afa5b0e
SSDEEP

6144:9kwu1ri9AcbfpzRnOa4YS+UYzzrgezsk4VUIE6Xfjh8o/Y7qAKTFtsY7eREBOd:61riiODTUU1AUIE6XfT/CKRmfeBOd

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Targets

- Target
  
  71084394.exe
- Size
  
  340KB
- MD5
  
  071d5dc67ed8f6be856d7f23d77382fc
- SHA1
  
  66f71f1f920899aaffe32f996f25df8c031cbd8a
- SHA256
  
  c8517f6c638a7d458d5dc46ba0c8b62c22165996339338788f9632cba03570c5
- SHA512
  
  973b2c8a59dda6d40e75d45fabc72e9b0679373f604267837854d6ff8f6ecb4f02b855ab3210ca6b49f6315cdac69666d788f01cc60fd5d99fa638a16afa5b0e
- SSDEEP
  
  6144:9kwu1ri9AcbfpzRnOa4YS+UYzzrgezsk4VUIE6Xfjh8o/Y7qAKTFtsY7eREBOd:61riiODTUU1AUIE6XfT/CKRmfeBOd
Score

10^/10

formbook yurm persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookyurmpersistenceratspywarestealertrojan

behavioral2

formbookyurmpersistenceratspywarestealertrojan