formbook

General

Target

Outstanding SOA.exe
Size

339KB
Sample

221211-299mzahh94
MD5

301addb86ca3c942e69305684bf5c91f
SHA1

5ba7b078b5c4f83582f4b5fab738d2bc40b3caac
SHA256

2c57f3f9227d165321ad3ec29060b58358f3e95968cc1b4b6eff7eb978a993d1
SHA512

119d0d4a47a7dc8a2c6e823a706c5c93c6a3b746d6ac97f4fc1889133b42ac8bb191386bf71c3a299d92b63d87a24031c7a3aa339b7e18f67fe571d723e2dd4b
SSDEEP

6144:9kw5Ozbc0itHVpknYIuGGzQe+rnqLG529GmuVyvp0csCAFSuH:toyBMnYYHHb29BuVyvqh1

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Targets

- Target
  
  Outstanding SOA.exe
- Size
  
  339KB
- MD5
  
  301addb86ca3c942e69305684bf5c91f
- SHA1
  
  5ba7b078b5c4f83582f4b5fab738d2bc40b3caac
- SHA256
  
  2c57f3f9227d165321ad3ec29060b58358f3e95968cc1b4b6eff7eb978a993d1
- SHA512
  
  119d0d4a47a7dc8a2c6e823a706c5c93c6a3b746d6ac97f4fc1889133b42ac8bb191386bf71c3a299d92b63d87a24031c7a3aa339b7e18f67fe571d723e2dd4b
- SSDEEP
  
  6144:9kw5Ozbc0itHVpknYIuGGzQe+rnqLG529GmuVyvp0csCAFSuH:toyBMnYYHHb29BuVyvqh1
Score

10^/10

formbook scse persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2