formbook | 2aca554d54992c396c459dac71bd00d92d814ca4fdd15e2c9dcd770ca89a6e50 | Triage

Sharing

General

Target

Angebot anfordern#DE5538100- Musterkatalog.xls
Size

1.6MB
Sample

221209-m5gn3ada48
MD5

4153bdbb2781414b56edb00def417b1f
SHA1

7191d6b286bbf48cb0b0c6c582cf395eebb145e3
SHA256

2aca554d54992c396c459dac71bd00d92d814ca4fdd15e2c9dcd770ca89a6e50
SHA512

dddf75f258c90587fe60d4bb86594939602f1b8ffeb36068b8e7fd769bb89bd3c68a0e4cd401aa833a65b59859fe54efd9b3f49e1680796a5fb561848d66d0db
SSDEEP

24576:0zxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDUmeRr5XXXXXXXXXXXXUXXXXXXXrXXXC:B5h0fuYgM

Score

10^/10

formbook dwdp persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dwdp

Decoy

jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=

ke1Wv1l26dZZxDikX9dU3s6k8+w=

+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==

GHXPhYzwXcKgZwqBb/kejm7rfobj

yalW64iE8+aXs70=

MD83dBR0KSF4fizgRhAM

Xti3uNm2JDWgssPgRhAM

X7gYbv5uJhpvjdI0Qg==

ydxGznbNJ3tCCLAX4arq4nweMuQ=

Ca+fvtST8OBbosPgRhAM

kG1QegD8mU/E/hLw1t0=

g9FFFjEC5C2IvR/BhbSrpw==

PCkpeg38W0aPdg1rav1DFnVASw==

vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7

G7WYirSZS9EYob8=

WbEWaOVIAPlSNNc4LsfL53weMuQ=

hnyAvEY4n3rTKS4g5mHKxR0=

JN7b0uCqVrQydMl7JNw=

XTki/RASDK6BCW0q8sU=

DQMBWA9wJyOKqqGSmGHKxR0=

Targets

- Target
  
  Angebot anfordern#DE5538100- Musterkatalog.xls
- Size
  
  1.6MB
- MD5
  
  4153bdbb2781414b56edb00def417b1f
- SHA1
  
  7191d6b286bbf48cb0b0c6c582cf395eebb145e3
- SHA256
  
  2aca554d54992c396c459dac71bd00d92d814ca4fdd15e2c9dcd770ca89a6e50
- SHA512
  
  dddf75f258c90587fe60d4bb86594939602f1b8ffeb36068b8e7fd769bb89bd3c68a0e4cd401aa833a65b59859fe54efd9b3f49e1680796a5fb561848d66d0db
- SSDEEP
  
  24576:0zxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXDUmeRr5XXXXXXXXXXXXUXXXXXXXrXXXC:B5h0fuYgM
Score

10^/10

formbook dwdp persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookdwdppersistenceratspywarestealertrojan

behavioral2