formbook

General

Target

ORDER.EXE
Size

275KB
Sample

221219-j3tdashe8t
MD5

40c08389f9b3ac964f7a1188f51dfb7b
SHA1

05b6fb387f69441d4107227d361d3b8ffef821dd
SHA256

426072e14b14fa10a6bf93d53c6bc17ab8d6c0871411dfece93bc765fd7d55ef
SHA512

e42e4cee19cfd90c0fee5ca6ee9425cc257524a1c4de02f94a2b01bbb99679c8794c981eec61f743afa0e8afe5bb744299033695f71fede7b6e753f97e17cbf6
SSDEEP

6144:Lkwtd2QvDC3Wol85o0Fv7UbxoNdyY5A0UHpMV1s3CvPqPY551P:bAQvGWouCaUbU+pMQSncY5b

Score

10^/10

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Targets

- Target
  
  ORDER.EXE
- Size
  
  275KB
- MD5
  
  40c08389f9b3ac964f7a1188f51dfb7b
- SHA1
  
  05b6fb387f69441d4107227d361d3b8ffef821dd
- SHA256
  
  426072e14b14fa10a6bf93d53c6bc17ab8d6c0871411dfece93bc765fd7d55ef
- SHA512
  
  e42e4cee19cfd90c0fee5ca6ee9425cc257524a1c4de02f94a2b01bbb99679c8794c981eec61f743afa0e8afe5bb744299033695f71fede7b6e753f97e17cbf6
- SSDEEP
  
  6144:Lkwtd2QvDC3Wol85o0Fv7UbxoNdyY5A0UHpMV1s3CvPqPY551P:bAQvGWouCaUbU+pMQSncY5b
Score

10^/10

formbook scse persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2