formbook

General

Target

Quotation.exe
Size

603KB
Sample

221211-spk97sbf9v
MD5

bd50419823213f1f7b3a8e74b051b379
SHA1

be3166a203ccbf1ce56ee05420a1972f115d8620
SHA256

a6251f77e4c34d7007b6ac5b9e76fb2905d90eb74cb3b5da23fc11ac437f44ad
SHA512

7e7490dbe4d02f3046494daf45fe9fddbb292855f2546b95d88100d89d61f41c328969f2d59dbd5fffcf61aafc79dd56b5f56e1a9bc74f634b19ff2eff5d5b07
SSDEEP

12288:g4LZz32DiC3u6zioxdrRNd4vHbQeKQMgH7+Wp1bILwwyx:g4lot3u6zxbGRT118Gx

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Targets

- Target
  
  Quotation.exe
- Size
  
  603KB
- MD5
  
  bd50419823213f1f7b3a8e74b051b379
- SHA1
  
  be3166a203ccbf1ce56ee05420a1972f115d8620
- SHA256
  
  a6251f77e4c34d7007b6ac5b9e76fb2905d90eb74cb3b5da23fc11ac437f44ad
- SHA512
  
  7e7490dbe4d02f3046494daf45fe9fddbb292855f2546b95d88100d89d61f41c328969f2d59dbd5fffcf61aafc79dd56b5f56e1a9bc74f634b19ff2eff5d5b07
- SSDEEP
  
  12288:g4LZz32DiC3u6zioxdrRNd4vHbQeKQMgH7+Wp1bILwwyx:g4lot3u6zxbGRT118Gx
Score

10^/10

persistence formbook scse rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2