formbook

General

Target

87901426.exe
Size

602KB
Sample

221209-rpexradd29
MD5

0597c2f492733078cc3231b33dfc284c
SHA1

c2911934ece108745f314ca7f9e763b7986001a2
SHA256

80a92f2ceb76a9e3f2a5405c1d2d26f838d54b5129d1ce97d60c4af88c07dc61
SHA512

9e99611d0840d297dde4c55ac4146b7728e80e40009e33a88d17dfe6895923047077d991c28fd6371b8372d30e28aa15a83629d85b6566c926c1115c1678b22c
SSDEEP

12288:aLsIqZDM2wnBZ9FxvMMwEYwc4K00PGgmFfdTM2CqvxWm+XZO:agIwY2mZBvT1K0ZgydTlxWm+XA

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Targets

- Target
  
  87901426.exe
- Size
  
  602KB
- MD5
  
  0597c2f492733078cc3231b33dfc284c
- SHA1
  
  c2911934ece108745f314ca7f9e763b7986001a2
- SHA256
  
  80a92f2ceb76a9e3f2a5405c1d2d26f838d54b5129d1ce97d60c4af88c07dc61
- SHA512
  
  9e99611d0840d297dde4c55ac4146b7728e80e40009e33a88d17dfe6895923047077d991c28fd6371b8372d30e28aa15a83629d85b6566c926c1115c1678b22c
- SSDEEP
  
  12288:aLsIqZDM2wnBZ9FxvMMwEYwc4K00PGgmFfdTM2CqvxWm+XZO:agIwY2mZBvT1K0ZgydTlxWm+XA
Score

10^/10

persistence formbook yurm rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2