formbook

General

Target

Purchase order 781830171.zip
Size

591KB
Sample

221216-rvqanseh38
MD5

4bf3e1f318f983457b8d379807183d69
SHA1

69617ac871d52272b3d0e3638e59fc364003f703
SHA256

80e0a46fefd0ce3dc15a56966a8e6a87862939f3ecf7b3f46f13ca508dc9d84b
SHA512

d49800c46334562fa07dc2f0db2060c99c57ec77a10721f0cbf1ee72e6889675029853b0e4df77d87da31724e3ba3013082e3d0ec4df915e72e332e4f5ea984a
SSDEEP

12288:pm92C6ONBbFXMVRCoxYdpi4ZLEoulx+dvTMC9ZqiSblHuuNqAz9kGngHr85c:pw2C6ONjXML7mdw42oMC7qi8lHuY9rnc

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Targets

- Target
  
  Purchase order 781830171.exe
- Size
  
  602KB
- MD5
  
  94a7ae060dd2244f3e523ef87ac573d5
- SHA1
  
  6da1cf7a0e4a708e6c986a810cbe87ac73bbf5e1
- SHA256
  
  0d65bd3f562fa127be5f009203fed5b0da090648f61d10d03ded5c89228e3766
- SHA512
  
  b079719fc7064d9137b53e078e331a19cf0805fec42a68e2c625af3eea95f0cd6aca84bbf75c46892fe03d35d0b186bd118a3821b77a748eadb663e1e2232f5b
- SSDEEP
  
  12288:zsBbFXMFRCMxYTri4ZzEouFxSdBTM09Zq8SblZuuNwApnkGngLr8z6:4jXMbhmT24yoW07q88lZuEnrngLrr
Score

10^/10

persistence formbook yurm rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2