formbook

General

Target

Quotation 2101137.exe
Size

333KB
Sample

221209-jn9fzacf56
MD5

f1d95bc5972ece6c0ab4d64bd5c41721
SHA1

750d7f9bc16029e5e7229c88c3363e03e2b50e7d
SHA256

8cb7736a5f9c3be642d8ee0f07f7a293e210a7bc74cbbc9ba89e483ff22634cb
SHA512

1243b8c9c78c2df52cded73add252e0bbc60dcc4c52d3449ac406fdfc1a6b2b55e520aa7c3114b0c43f368f259df424376ad689240c5abaa7c54ff3e557e98aa
SSDEEP

6144:9kwb4cTPlzXPps8WC6KeBYfzFRyXxwwqIObWNlpPBV33nxqcI3hEONpJ364lH:P4cTPRXPps55gFaxLAbQTPBVgcI3CAp7

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Targets

- Target
  
  Quotation 2101137.exe
- Size
  
  333KB
- MD5
  
  f1d95bc5972ece6c0ab4d64bd5c41721
- SHA1
  
  750d7f9bc16029e5e7229c88c3363e03e2b50e7d
- SHA256
  
  8cb7736a5f9c3be642d8ee0f07f7a293e210a7bc74cbbc9ba89e483ff22634cb
- SHA512
  
  1243b8c9c78c2df52cded73add252e0bbc60dcc4c52d3449ac406fdfc1a6b2b55e520aa7c3114b0c43f368f259df424376ad689240c5abaa7c54ff3e557e98aa
- SSDEEP
  
  6144:9kwb4cTPlzXPps8WC6KeBYfzFRyXxwwqIObWNlpPBV33nxqcI3hEONpJ364lH:P4cTPRXPps55gFaxLAbQTPBVgcI3CAp7
Score

10^/10

formbook yurm persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2