formbook | ac8a052005110b9a07f80af54d274429789ff8386fa2198925e3262d85fe448c | Triage

Sharing

General

Target

NEWorder2022FILE8876.iso
Size

890KB
Sample

221208-rxbv3aac62
MD5

836a9194d01ee1fa6c6e79cd19362a14
SHA1

bc91c28764891fa4606ea053385dc815683dd23d
SHA256

ac8a052005110b9a07f80af54d274429789ff8386fa2198925e3262d85fe448c
SHA512

f75ee036484b7e19d28b9fe6186082c950a2f9d082cc0455da08148f4d304e8e648b1efdb7583e4702150bdfc7baff04762ffd0aaa67bfb7aaf914616a090fcc
SSDEEP

12288:Q3YNF3wX+sJMgCEdhJlxnFrQ9dI640gfHtY/h8uSW7rbLxPkgUUj5TX:g8GlJMkdhVnaHI6ufNkUEpaE

Score

10^/10

formbook 4u5a persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

4u5a

Decoy

Y9HWoINcPu0r7SSSKt4FCmk7

G/E64auYdhRQM4wZW2bcOaY=

bL57APty/StRpW49a+EdxA==

TppryJ0SoslHe8gJFVc=

HXxDShYIEcUJDahdv2nvl5Hlbp4=

EKaq5c6w0nV3WWlEqM4Www==

VM+YjE8XS1OLcH1roYF4zA==

OwK0wxmBGnq2Fg==

B1zy4bulyfY9tj9DK2eIkeYArpTt

Avj5JeA8m9girqfQ4+cZxA==

AOY4dmDFkCdX8HUJMw==

5cQUw3pPMYr07V8=

P7ZsN4/zt63AEw==

FYyVCOpB8Vl//kSkDLPo91Yy

jxwZTBp+5gcsccPxDF+K4bDG2Rpp0A==

iGx9AO58DRhZbXX9

prwVyLkAtlhSU6irmansg8wArpTt

uqa8ZPl+FFObOkdFNg==

tL4OhF22EDaEOkdFNg==

6exH76Z9o7eu/n86vgPE

Targets

- Target
  
  NEWorder2022FILE8876.exe
- Size
  
  829KB
- MD5
  
  443188c8e6b449066d99f49d1b715e92
- SHA1
  
  7ebde06ed2558ad169e7b779ac2f7bc8bc758ef0
- SHA256
  
  15046684df239f63119e30eadc6a71abbfece9080bb3a6a1d4f7b0899ee47409
- SHA512
  
  1c063339b87ebe67daf14c58f20cbe917885d12ff3d1161e8e7180752710819c5b1aea92b104130d3a42beaa5906691938656c0f394591d2e2ba3beb5de31fee
- SSDEEP
  
  12288:D3YNF3wX+sJMgCEdhJlxnFrQ9dI640gfHtY/h8uSW7rbLxPkgUUj5TX:j8GlJMkdhVnaHI6ufNkUEpaE
Score

10^/10

formbook 4u5a persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Modifies Installed Components in the registry
  persistence
- Uses the VBS compiler for execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

formbook4u5apersistenceratspywarestealertrojan