formbook | 306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0 | Triage

Sharing

General

Target

306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0.exe
Size

535KB
Sample

221210-311t5sgd45
MD5

5c6d494467d89ff50a77cc878c8c9539
SHA1

11618f354cc30d7a5716a687b9384138a0f46b5b
SHA256

306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0
SHA512

6ed42edf100c076f422231c55e5df1ca9d1dda8c139fe7a19748f97685469c2a3042b9b23d222ea26c68a216c596b5084d4dc16238382cc7c3d0bad9e82c9394
SSDEEP

6144:/kw+0xk6e96C2U/2aqg9JBP/gr0TdFpyI7a5SQ/GBQDLJCoF7PdcUFauRugGcSnu:slzAKpgCb7kSQKQXJ7tF34gNV

Score

10^/10

formbook m9ae persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Targets

- Target
  
  306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0.exe
- Size
  
  535KB
- MD5
  
  5c6d494467d89ff50a77cc878c8c9539
- SHA1
  
  11618f354cc30d7a5716a687b9384138a0f46b5b
- SHA256
  
  306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0
- SHA512
  
  6ed42edf100c076f422231c55e5df1ca9d1dda8c139fe7a19748f97685469c2a3042b9b23d222ea26c68a216c596b5084d4dc16238382cc7c3d0bad9e82c9394
- SSDEEP
  
  6144:/kw+0xk6e96C2U/2aqg9JBP/gr0TdFpyI7a5SQ/GBQDLJCoF7PdcUFauRugGcSnu:slzAKpgCb7kSQKQXJ7tF34gNV
Score

10^/10

formbook m9ae persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

formbookm9aepersistenceratspywarestealertrojan

behavioral2

formbookm9aepersistenceratspywarestealertrojan